Verifying TLS 1.2 Cipher suites disabled?

sonicZ · ‎06-04-2022

We have a PCI requirement to disable TLS1.1 or TLS1.0 cipher suites such as

- TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

- TLSv1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLSv1.1 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

- TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

- TLSv1.1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Among others...

I checked a few docs and tested disabling anything less then TLS 1.2 in

sslVersions =  tls1.2

https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/SetyourSSLversion

How can i be sure the above cipher suites are disabled and TLS 1.2 is the only allowed?

from previous posts i read we can use openssl to test via and look for any errors or the full certificate response if its open?
openssl s_client -connect ipaddress:port -tls1_1our currrent server.conf is as follows

Here is our current server.conf

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

sonicZ · ‎06-07-2022

I do see this document describes configuration of using TLS 1.2 cipher suites that are marked secure by PCI requirements.
Just looking to understand the ramifications of connectivity if i do change the web.conf and server.conf with the values listed in this link
Would we also have to update our certificates if we use the specific ciphers?
https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Ciphersuites

Verifying TLS 1.2 Cipher suites disabled?

SSL

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting