Verifying TLS 1.2 Cipher suites disabled?

sonicZ · ‎06-04-2022

We have a PCI requirement to disable TLS1.1 or TLS1.0 cipher suites such as

- TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

- TLSv1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLSv1.1 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

- TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

- TLSv1.1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Among others...

I checked a few docs and tested disabling anything less then TLS 1.2 in

sslVersions =  tls1.2

https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/SetyourSSLversion

How can i be sure the above cipher suites are disabled and TLS 1.2 is the only allowed?

from previous posts i read we can use openssl to test via and look for any errors or the full certificate response if its open?
openssl s_client -connect ipaddress:port -tls1_1our currrent server.conf is as follows

Here is our current server.conf

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

sonicZ · ‎06-07-2022

I do see this document describes configuration of using TLS 1.2 cipher suites that are marked secure by PCI requirements.
Just looking to understand the ramifications of connectivity if i do change the web.conf and server.conf with the values listed in this link
Would we also have to update our certificates if we use the specific ciphers?
https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Ciphersuites

Verifying TLS 1.2 Cipher suites disabled?

SSL

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!