Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to allow TLSv1.1 with AES256-SHA in HEC with Splunk 8?

yuanliu
SplunkTrust
SplunkTrust
‎08-14-2021 12:24 PM

Splunk 8's HEC defaults to TLSv1.2 only.  But I have a need to allow TLSv1.1 with AES256-SHA in order for puppetserver 2.7.0 to connect.

So far, I figured that in order to effect HEC protocols, I must also alter $SPLUNKE_HOME/etc/system/local/web.conf.  So I changed sslVersion to *, and made sure that AES256-SHA is in cipherSuite.  I can verify that TLSv1.1 is allowed when using openssl command line to connect; the same code in Puppet's splunk_hec reporter is also able to connect via TLSv1.1 when invoked from native Ruby (Ruby 2.0).  But I cannot externally examine the exact cipher used even with Wireshark.

Anyway, even with this setup on Splunk's side, I still get "ssl3_get_client_hello:no shared cipher" when puppetserver tries to connect.  The difference is that puppetserver 2.7.0 runs in outdated JRuby that uses Ruby 1.9.  Nevertheless, https://ask.puppet.com/question/33316/puppet-https-connection-using-latest-tls-version-and-cipher-su... states "the only way to get puppet to successfully connect is to enable the AES256-SHA cipher."  So, I would expect the combination to be successful.

What other things do I need to change?

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-14-2021 10:19 PM

Contrary to results from my numerous previous experiments, the final configuration is rather simple (and less compromising than I initially feared): Add AES256-SHA to cipherSuite in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf.

(In other words, web.conf doesn't affect HEC, after all.  The real problem with puppetserver 2.7.0 is SERVER-2036 which was fixed in Server 5.5.  I'll describe a workaround in the other post about splunk_hec.)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-14-2021 10:19 PM

Contrary to results from my numerous previous experiments, the final configuration is rather simple (and less compromising than I initially feared): Add AES256-SHA to cipherSuite in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf.

(In other words, web.conf doesn't affect HEC, after all.  The real problem with puppetserver 2.7.0 is SERVER-2036 which was fixed in Server 5.5.  I'll describe a workaround in the other post about splunk_hec.)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...