I am trying to pair down the list of ciphers we are using. When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.
02-24-2023 16:17:35.187 +0000 WARN SSLCommon [121742 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.
02-24-2023 16:17:35.187 +0000 ERROR TcpOutputFd [121742 TcpOutEloop] - Connection to host=SH_IP_REMOVED:8999 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
In server.conf, web.conf, inputs.conf and outputs.conf I have the below ciphers. Once I remove AES256-GCM-SHA384. The errors begin.
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384
For anyone interested. My particular issue required me to call out the ecdhCurves specifically.
[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1
Everything worked once adding the ecdhCurves.
When was the last time you updated sslVersions in server.conf, web.conf, inputs.conf and outputs.conf? Rather, why do you need to set cipherSuite locally in the first place? AES256-GCM-SHA384 is perhaps preferred or required for SSLv2/v3. But SSLv2 and SSLv3 have been obsolete for very long. In fact, TLSv1.0 is already deprecated; even TLSv1.1 is deemed inadequate these days. In 9.x, default for sslVersions is 1.2 only.
If you have a good reason to localize cipherSuite, you need to eliminate SSLv2/v3 from sslVersions as well. (I had a weird situation two years ago where my Puppet server was so old it did not support TLS1.1. So, I had to enable TLS1.0 in Splunk knowing it was insecure.) But if you don't have to, just remove sslVersions and cipherSuite from local/ files. default/ in 9.5 is
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
(Read the corresponding files in default/ directory will help. Also read your version of server.conf, etc.)
I should have included this in my question but I have the below in server.conf, inputs.conf, outputs.conf and web.conf. I don't have access to the system today but I am not sure where SSLv2/v3 would come from then?
sslVersions = tls1.2
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384
Also, we are at version 9.0.3
It would seem that cypher is needed by Splunk and so shouldn't be removed from the cipherSuite setting. You may want to submit a support request about this.
For anyone interested. My particular issue required me to call out the ecdhCurves specifically.
[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1
Everything worked once adding the ecdhCurves.