- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- SSL Versions for tcp-ssl input ignored
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to get Splunk to accept SSLv3 for a special case of tcp-ssl input, and although specifying sslVersions = "ssl3", nmap --script ssl-enum-ciphers localhost -p 9998 always returns TLSv1.2 as the only one accepted... any ideas why is my parameter ignored?
Starting Nmap 7.60 at 2019-03-01 08:53 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000049s latency).
PORT STATE SERVICE
9998/tcp open distinct32
| ssl-enum-ciphers:
| TLSv1.2:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support for earlier TLS versions than v1.2 requires adding more cipherSuites, so now I have support for all the versions ( it's actually intended for earlier than Splunk 5.x versions compatibility, but get;s me what I want anyway)
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslVersions = tls
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-SHA:AES128-SHA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support for earlier TLS versions than v1.2 requires adding more cipherSuites, so now I have support for all the versions ( it's actually intended for earlier than Splunk 5.x versions compatibility, but get;s me what I want anyway)
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslVersions = tls
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-SHA:AES128-SHA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please try to connect with openssl command as given below
/opt/splunk/bin/splunk cmd openssl s_client -connect localhost:9998 -ssl3
If it will generate error as given below then it means that it is not accepting traffic on sslv3
CONNECTED(00000003)
140269635843760:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140269635843760:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
