Solved: Re: How to remove weak ciphers?

coreyCLI · ‎02-24-2023

I am trying to pair down the list of ciphers we are using. When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.

02-24-2023 16:17:35.187 +0000 WARN SSLCommon [121742 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.

02-24-2023 16:17:35.187 +0000 ERROR TcpOutputFd [121742 TcpOutEloop] - Connection to host=SH_IP_REMOVED:8999 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

In server.conf, web.conf, inputs.conf and outputs.conf I have the below ciphers. Once I remove AES256-GCM-SHA384. The errors begin.

cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

coreyCLI · ‎03-21-2023

For anyone interested. My particular issue required me to call out the ecdhCurves specifically.

[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1

Everything worked once adding the ecdhCurves.

View solution in original post

yuanliu · ‎02-25-2023

When was the last time you updated sslVersions in server.conf, web.conf, inputs.conf and outputs.conf? Rather, why do you need to set cipherSuite locally in the first place? AES256-GCM-SHA384 is perhaps preferred or required for SSLv2/v3. But SSLv2 and SSLv3 have been obsolete for very long. In fact, TLSv1.0 is already deprecated; even TLSv1.1 is deemed inadequate these days. In 9.x, default for sslVersions is 1.2 only.

If you have a good reason to localize cipherSuite, you need to eliminate SSLv2/v3 from sslVersions as well. (I had a weird situation two years ago where my Puppet server was so old it did not support TLS1.1. So, I had to enable TLS1.0 in Splunk knowing it was insecure.) But if you don't have to, just remove sslVersions and cipherSuite from local/ files. default/ in 9.5 is

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

(Read the corresponding files in default/ directory will help. Also read your version of server.conf, etc.)

coreyCLI · ‎02-27-2023

I should have included this in my question but I have the below in server.conf, inputs.conf, outputs.conf and web.conf. I don't have access to the system today but I am not sure where SSLv2/v3 would come from then?

sslVersions = tls1.2
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

Also, we are at version 9.0.3

richgalloway · ‎02-24-2023

It would seem that cypher is needed by Splunk and so shouldn't be removed from the cipherSuite setting. You may want to submit a support request about this.

---
If this reply helps you, Karma would be appreciated.

coreyCLI · ‎03-21-2023

For anyone interested. My particular issue required me to call out the ecdhCurves specifically.

[replication_port-ssl://8999]
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1

Everything worked once adding the ecdhCurves.

How to remove weak ciphers?

other

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?