What would be the most "secure" cipher suite to use with Splunk. By most secure I mean, implements Perfect forward secrecy (DHS or ECDHE), a hashing algorithm that has not been cracked (SHA256+). Another consideration to take in mind is one that works with most browsers (so compatibility would be a factor).
Splunk 6.03 Ships with openssl 1.01g which comes with the following cipher suite (seems like a decent list to me):
$ openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK' |column -t
Has anyone speficied a set/collection of ciphers they allow using web.conf:
[settings]
cipherSuite = TLSv1
Advice, suggestions, context is welcomed.
Hi jhernandez_splunk,
if your concern is about compatibility with most of the browsers, stick with the default settings cipherSuite = HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
.
But if you could say 'hey, we will only support the browsers listed here' then you could switch to TLSv1.1 or even TLSv1.2. To get a list of the support TLSV1.2 ciphers you can use this command:
./bin/splunk cmd openssl ciphers -v "TLSv1.2"
You can find some information and comparison charts over in the TLS wiki as well.
Last but not least, it all depends on your use case and feasibility
hope this helps ...
cheers, MuS
By the way made a post about EC certs which might help with this. Thank you again MuS.
Hi jhernandez_splunk,
if your concern is about compatibility with most of the browsers, stick with the default settings cipherSuite = HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
.
But if you could say 'hey, we will only support the browsers listed here' then you could switch to TLSv1.1 or even TLSv1.2. To get a list of the support TLSV1.2 ciphers you can use this command:
./bin/splunk cmd openssl ciphers -v "TLSv1.2"
You can find some information and comparison charts over in the TLS wiki as well.
Last but not least, it all depends on your use case and feasibility
hope this helps ...
cheers, MuS
Thank you so much that really does help.