Hi,
as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.
All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:
$SPLUNK_HOME/bin/splunk cmd openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
So we see Splunk uses as first SSL cipher AES256-GCM-SHA384 . Okay lets verify this...
$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress =
[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.
Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.
$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress =
[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA
So I changed the SSL cipher successfully.
I did more testing on web.conf and inputs.conf and here is effects those changes had:
universal forwarder
inputs.conf: has no effect
web.conf: has no effect as well (which is no surprise at all 😉 )
server.conf: changes the SSL cipher used on the Splunks default management port 8089
indexer
inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
web.conf: changes the SSL cipher used on the Splunks default web port 8000
server.conf: changes the SSL cipher used on the Splunks default management port 8089
One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.
hope this helps ...
cheers, MuS
... View more