Splunk Search

How can I see which SSL version (ssl3, tls1.0 or higher) a forwarder is using actually?

Tarek1977
Path Finder

Hello*,

I did not find any solution in the answers section, so I'll ask this question. It is possible to see, which exact SSL version a forwarder is using? I've configured the forwarders with the standard parameters. In splunkd I get the info (on Indexer side)

INFO TcpInputConfig - SSL supported versions=SSL3,TLS1.0,TLS1.1,TLS1.2
INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk (SSL)
INFO TcpInputConfig - IPv4 port 9997 will negotiate new-s2s protocol

On forwarder side:

INFO TcpOutputProc - Connected to idx=10.xxx.xxx.xx:9997
INFO TcpOutputProc - Group splunk-prod initialized with maxQueueSize=512000 in bytes.
INFO TcpOutputProc - tcpout group splunk-prod using Auto load balanced forwarding
INFO TcpOutputProc - Will forward data belonging to all the indices
INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist
INFO TcpOutputProc - found Blacklist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist
INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist
INFO TcpOutputProc - Initializing with fwdtype=lwf

Ok, but how do I know, if the forwarder sends the data with SSL3 or TLS1.0 for example? Is that possible to find out without installing WireShark on Unix side or something like that? And the same for the mangement Port 8089. How can I see, which EXACT SSL version Splunk uses there?

Thank you for your answers. Hopefully. 😉

Tags (2)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

While you cannot really check the version for the forwarder, you can definitely check the version that the Server side listen and responds too.

Here is a script you can run to test what TLS version you're server(s) respond to. Note, this does require the server you are testing to have internet access ---

./splunk cmd python -c "import json, urllib2; print json.load(urllib2.urlopen('https://www.howsmyssl.com/a/check'))['tls_version']";

This will respond with the version that Splunk answers with. Note, that there are a few different version Splunk will respond with, so you need to lock this down in your configuration files as mentioned above.

If you're server doesnt have internet access, you can also use NMAP..

nmap -sV --script ssl-enum-ciphers -p 443 my.splunk.host

This will return all available cipher suites and associated versions.

0 Karma

bsriramineni_sp
Splunk Employee
Splunk Employee

I have configured below ssl versions in inputs, outputs and server.conf file on HF and IDX

sslVersions = tls1.1, tls1.0, -tls1.2

But the below command on HF and IDX gives the output as TLS1.2 which I have restricted splunk to use for communication.

./splunk cmd python -c "import json, urllib2; print json.load(urllib2.urlopen('https://www.howsmyssl.com/a/check'))['tls_version']";

From my observation, no matter which versions is configured, it simply shows TLS1.2

Given nmap command just shows the available ssl versions and ciphers.

nmap -sV --script ssl-enum-ciphers -p 443 my.splunk.host

If we configure multiple ssl versions, we wont be able to find which ssl versions is used in communication.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

NMAP will be used to validate the cipher suites and TLS versions available, what the server responds to.

Restricting these can be accomplished through both the ouputs.conf and web.conf files - see here: https://docs.splunk.com/Documentation/Splunk/7.0.0/Security/SetyourSSLversion and here http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Webconf .

If you adjust these on the server side, you can see the differences in output from these tools, especially in regards to ciphersuites and TLS. Realistically, the outputs on the client should match the web.conf on the server in order to force compliance to a standard protocol and cipher suite. (This will ensure you're compliant at a certain level.) Otherwise there really isnt a way to validate what the connection is using unless you go through the internal logs.

0 Karma

bsriramineni_sp
Splunk Employee
Splunk Employee

There is no way to identify which ssl version is used in SSL communication from splunk side. However, you can restrict splunk to use a specific ssl version by specifying the allowable ssl versions in inputs.conf and outputs.conf file.

sslVersions =
* Comma-separated list of SSL versions to support
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions. The version "tls"
selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing
* When configured in FIPS mode ssl3 is always disabled regardless of
this configuration
* The default can vary. See the sslVersions setting in
* $SPLUNK_HOME/etc/system/default/outputs.conf for the current default.

Please refer the below link for more details:

https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Outputsconf#TCPOUT_ATTRIBUTES----

https://docs.splunk.com/Documentation/Splunk/7.0.0/Security/SetyourSSLversion

esix_splunk
Splunk Employee
Splunk Employee

There is a way to test this.. see below.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...