Security

cipherSuite in various .conf files

Explorer

Hi,

we know about the cipherSuite option to set and configure the SSL cipher to be used. But since it can be set in various places it is not completely clear which config has what effect for an universal forwarder or an indexer in regards of the management port, web port and receiving port.

Regards

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

  • inputs.conf: has no effect
  • web.conf: has no effect as well (which is no surprise at all 😉 )
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

  • inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
  • web.conf: changes the SSL cipher used on the Splunks default web port 8000
  • server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

View solution in original post

Engager

After an upgrade to 7.0.4 my search-head did not connect to the older version deployment server (6.4) because it stated "handshake failure" in splunkd.log after restarting.

I did try a lot of different things, but only after adding: cipherSuite = AES256-GCM-SHA384 to the web.conf, the search-head's outbound connection to the deployment server was successful.

It therefore seems that the web.conf configuration controls the outbound connection to the deployment server.

Explorer

It also appears that the server.conf cipherSuite controls HTTP (HEC) inputs as well.

0 Karma

SplunkTrust
SplunkTrust

Just remember you commented on a post from 2014, where things like HEC were devils black witchery 😉

cheers, MuS

0 Karma

Even later to the party, and arriving with nothing more to offer than the bleeding obvious: the SSL stanza in inputs.conf changes the SSL cipher used for TCP inputs defined in tcp-ssl stanzas in inputs.conf.

For example, using the OpenSSL (0.9.8zb) s_client command to send a JSON-formatted event to a Splunk tcp-ssl input, without explicitly specifying cipherSuite in the SSL stanza, the connection used AES256-SHA. Specifying the following in the SSL stanza:

cipherSuite = DES-CBC3-SHA

caused the connection to use that cipher suite instead.

0 Karma

Motivator

A year late to the party but ... no way was found to control outbound cipher selection?

0 Karma

SplunkTrust
SplunkTrust

Better late, than never 😉 There is an option in outputs.conf but the docs are a bit confusing:

sslCipher = <string>
* If set, uses the specified cipher string for the input processors.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!