Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

cipherSuite in various .conf files

lcshared
Explorer
‎05-02-2014 04:49 AM

Hi,

we know about the cipherSuite option to set and configure the SSL cipher to be used. But since it can be set in various places it is not completely clear which config has what effect for an universal forwarder or an indexer in regards of the management port, web port and receiving port.

Regards

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-02-2014 04:53 AM

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-02-2014 04:53 AM

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

jnichols914
Explorer
‎07-21-2021 08:55 AM

Thank you for this post. We had an issue with the ciphers occur and didn't have this in-depth knowledge of how all the configuration files worked. This will help us in the future with upgrades.

0 Karma
Reply
Solved! Jump to solution

GVanhees
Engager
‎06-19-2018 11:22 PM

After an upgrade to 7.0.4 my search-head did not connect to the older version deployment server (6.4) because it stated "handshake failure" in splunkd.log after restarting.

I did try a lot of different things, but only after adding: cipherSuite = AES256-GCM-SHA384 to the web.conf, the search-head's outbound connection to the deployment server was successful.

It therefore seems that the web.conf configuration controls the outbound connection to the deployment server.

Reply
Solved! Jump to solution

mhigginson
Explorer
‎06-12-2018 12:47 PM

It also appears that the server.conf cipherSuite controls HTTP (HEC) inputs as well.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-14-2018 12:35 AM

Just remember you commented on a post from 2014, where things like HEC were devils black witchery 😉

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎06-16-2016 11:23 PM

Even later to the party, and arriving with nothing more to offer than the bleeding obvious: the SSL stanza in inputs.conf changes the SSL cipher used for TCP inputs defined in tcp-ssl stanzas in inputs.conf.

For example, using the OpenSSL (0.9.8zb) s_client command to send a JSON-formatted event to a Splunk tcp-ssl input, without explicitly specifying cipherSuite in the SSL stanza, the connection used AES256-SHA. Specifying the following in the SSL stanza:

cipherSuite = DES-CBC3-SHA

caused the connection to use that cipher suite instead.

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎05-10-2015 10:59 PM

A year late to the party but ... no way was found to control outbound cipher selection?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-02-2015 02:18 PM

Better late, than never 😉 There is an option in outputs.conf but the docs are a bit confusing:

sslCipher = <string>
* If set, uses the specified cipher string for the input processors.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...