Security

cipherSuite in various .conf files

lcshared
Explorer

Hi,

we know about the cipherSuite option to set and configure the SSL cipher to be used. But since it can be set in various places it is not completely clear which config has what effect for an universal forwarder or an indexer in regards of the management port, web port and receiving port.

Regards

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

jnichols914
Explorer

Thank you for this post. We had an issue with the ciphers occur and didn't have this in-depth knowledge of how all the configuration files worked. This will help us in the future with upgrades.

0 Karma

GVanhees
Engager

After an upgrade to 7.0.4 my search-head did not connect to the older version deployment server (6.4) because it stated "handshake failure" in splunkd.log after restarting.

I did try a lot of different things, but only after adding: cipherSuite = AES256-GCM-SHA384 to the web.conf, the search-head's outbound connection to the deployment server was successful.

It therefore seems that the web.conf configuration controls the outbound connection to the deployment server.

mhigginson
Explorer

It also appears that the server.conf cipherSuite controls HTTP (HEC) inputs as well.

0 Karma

MuS
SplunkTrust
SplunkTrust

Just remember you commented on a post from 2014, where things like HEC were devils black witchery 😉

cheers, MuS

0 Karma

Graham_Hanningt
Builder

Even later to the party, and arriving with nothing more to offer than the bleeding obvious: the SSL stanza in inputs.conf changes the SSL cipher used for TCP inputs defined in tcp-ssl stanzas in inputs.conf.

For example, using the OpenSSL (0.9.8zb) s_client command to send a JSON-formatted event to a Splunk tcp-ssl input, without explicitly specifying cipherSuite in the SSL stanza, the connection used AES256-SHA. Specifying the following in the SSL stanza:

cipherSuite = DES-CBC3-SHA

caused the connection to use that cipher suite instead.

0 Karma

Lucas_K
Motivator

A year late to the party but ... no way was found to control outbound cipher selection?

0 Karma

MuS
SplunkTrust
SplunkTrust

Better late, than never 😉 There is an option in outputs.conf but the docs are a bit confusing:

sslCipher = <string>
* If set, uses the specified cipher string for the input processors.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...