Splunk Search

How to remove weak ciphers?

coreyCLI
Path Finder

I am trying to pair down the list of ciphers we are using.  When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.

 

02-24-2023 16:17:35.187 +0000 WARN SSLCommon [121742 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.


02-24-2023 16:17:35.187 +0000 ERROR TcpOutputFd [121742 TcpOutEloop] - Connection to host=SH_IP_REMOVED:8999 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

 

In server.conf, web.conf, inputs.conf and outputs.conf I have the below ciphers.  Once I remove AES256-GCM-SHA384.  The errors begin.

 

cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

Labels (1)
0 Karma
1 Solution

coreyCLI
Path Finder

For anyone interested.  My particular issue required me to call out the ecdhCurves specifically.

[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Everything worked once adding the ecdhCurves.

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

When was the last time you updated sslVersions in server.conf, web.conf, inputs.conf and outputs.conf?  Rather, why do you need to set cipherSuite locally in the first place? AES256-GCM-SHA384 is perhaps preferred or required for SSLv2/v3.  But SSLv2 and SSLv3 have been obsolete for very long.  In fact, TLSv1.0 is already deprecated; even TLSv1.1 is deemed inadequate these days.  In 9.x, default for sslVersions is 1.2 only.

If you have a good reason to localize cipherSuite, you need to eliminate SSLv2/v3 from sslVersions as well. (I had a weird situation two years ago where my Puppet server was so old it did not support TLS1.1.  So, I had to enable TLS1.0 in Splunk knowing it was insecure.)  But if you don't have to, just remove sslVersions and cipherSuite from local/ files.  default/ in 9.5 is

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

(Read the corresponding files in default/ directory will help.  Also read your version of server.conf, etc.)

coreyCLI
Path Finder

I should have included this in my question but I have the below in server.conf, inputs.conf, outputs.conf and web.conf.  I don't have access to the system today but I am not sure where SSLv2/v3 would come from then?

 

sslVersions = tls1.2
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

 

Also, we are at version 9.0.3

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would seem that cypher is needed by Splunk and so shouldn't be removed from the cipherSuite setting.  You may want to submit a support request about this.

---
If this reply helps you, Karma would be appreciated.
0 Karma

coreyCLI
Path Finder

For anyone interested.  My particular issue required me to call out the ecdhCurves specifically.

[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Everything worked once adding the ecdhCurves.

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...