Solved: Most Secure Cipher Collection to Use with Splunk

jhernandez_splu · ‎05-06-2014

What would be the most "secure" cipher suite to use with Splunk. By most secure I mean, implements Perfect forward secrecy (DHS or ECDHE), a hashing algorithm that has not been cracked (SHA256+). Another consideration to take in mind is one that works with most browsers (so compatibility would be a factor).

Splunk 6.03 Ships with openssl 1.01g which comes with the following cipher suite (seems like a decent list to me):

$ openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK' |column -t

Has anyone speficied a set/collection of ciphers they allow using web.conf:

[settings]
cipherSuite = TLSv1

Advice, suggestions, context is welcomed.

MuS · ‎05-06-2014

Hi jhernandez_splunk,

if your concern is about compatibility with most of the browsers, stick with the default settings cipherSuite = HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK.
But if you could say 'hey, we will only support the browsers listed here' then you could switch to TLSv1.1 or even TLSv1.2. To get a list of the support TLSV1.2 ciphers you can use this command:

 ./bin/splunk cmd openssl ciphers -v "TLSv1.2"

You can find some information and comparison charts over in the TLS wiki as well.

Last but not least, it all depends on your use case and feasibility

hope this helps ...

cheers, MuS

View solution in original post

jhernandez_splu · ‎06-06-2014

By the way made a post about EC certs which might help with this. Thank you again MuS.

MuS · ‎05-06-2014

Hi jhernandez_splunk,

if your concern is about compatibility with most of the browsers, stick with the default settings cipherSuite = HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK.
But if you could say 'hey, we will only support the browsers listed here' then you could switch to TLSv1.1 or even TLSv1.2. To get a list of the support TLSV1.2 ciphers you can use this command:

 ./bin/splunk cmd openssl ciphers -v "TLSv1.2"

You can find some information and comparison charts over in the TLS wiki as well.

Last but not least, it all depends on your use case and feasibility

hope this helps ...

cheers, MuS

jhernandez_splu · ‎05-06-2014

Thank you so much that really does help.

Most Secure Cipher Collection to Use with Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation