Hi,
I want to remove insecure tls cipher suites from indexpeer replication.
The default setting in server.conf/[sslConfig] is:
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
However, if I remove the insecure ciphers
AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
From cipherSuite and deploy that configuration to our indexpeers, indexpeer replication won't work anymore.
splunkd.log of one of our indexpeers after the configuration change:
06-09-2020 13:41:08.732 +0200 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.
06-09-2020 13:41:08.732 +0200 ERROR TcpOutputFd - Connection to host=10.10.10.10:9101 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
06-09-2020 13:41:08.733 +0200 WARN BucketReplicator - Connection failed
We are using Splunk 8.0.4.
Has anyone succeeded in securing Splunk?
Thanks!
... View more