Re: Error in removing insecure TLS cipher suites i...

WurschtHans · ‎06-10-2020

Hi,

I want to remove insecure tls cipher suites from indexpeer replication.

The default setting in server.conf/[sslConfig] is:

cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

However, if I remove the insecure ciphers

AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

From cipherSuite and deploy that configuration to our indexpeers, indexpeer replication won't work anymore.

splunkd.log of one of our indexpeers after the configuration change:

06-09-2020 13:41:08.732 +0200 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.
06-09-2020 13:41:08.732 +0200 ERROR TcpOutputFd - Connection to host=10.10.10.10:9101 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
06-09-2020 13:41:08.733 +0200 WARN BucketReplicator - Connection failed

We are using Splunk 8.0.4.

Has anyone succeeded in securing Splunk?

Thanks!

harsmarvania57 · ‎06-10-2020

Are you using below config for replication of buckets ?

[replication_port-ssl://<port>]
* This configuration is the same as the replication_port stanza, but uses SSL.

WurschtHans · ‎06-10-2020

Yes, we are using

[replication_port-ssl://9101]

harsmarvania57 · ‎06-12-2020

Sorry for late reply, how are you deploying configuration to Indexers ? Have you changed cipherSuite on all Indexers and restarted splunk on Indexers ? Can you please check output of below command on all Indexers, is it same ? If yes then can you please provide output from any one Indexer ?

$SPLUNK_HOME/bin/splunk show config servers | grep -i cipher

WurschtHans · ‎06-12-2020

We changed cipherSuites on all our indexpeers. The configuration (server.conf) was deployed to the indexpeers directly via ansible.

Afterwards we issued a cluster-restart from from the clustermaster (splunk rolling-restart cluster-peers).

Here is the the output after the restart:

>> /data/splunk/install/splunk/bin/splunk show config server | grep cipher
Your session is invalid.  Please login.
Splunk username: xyyxcvyxcv
Password:
cipherSuite=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
cipherSuite=TLSv1.2+HIGH:@STRENGTH
cipherSuite=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256

harsmarvania57 · ‎06-12-2020

From the output I can see that below cipher does not exist on your indexer. Are you still receiving replication error ?

AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

WurschtHans · ‎06-14-2020

Yes. I suspect, that the used ciphers are somehow hardcoded to that insecure versions.

Can you reproduce this error?

harsmarvania57 · ‎06-15-2020

Sorry I don't have environment setup with SSL Replication on Indexer Cluster so can't test it.

Error in removing insecure TLS cipher suites in indexpeer replication

encryption

other

SSL

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk