Getting Data In

Deployment Server flooded with SSL handshake errors from forwarders. How to configure forwarders to use TLS 1.2

johnpof
Path Finder

We've recently locked down everything to use TLS 1.2 and I think i've fixed just about everything, however, my deployment server is full of SSL3 handshake errors with the forwarders.

How do I set up the forwarders to use TLS1.2 with my deployment server? I'm confused about which file to modify: server.conf? web.conf? Everything looks fine server side - it's just on the forwarder I need to update.

Here is my server.conf file on my deployment server:

sslKeysfile = key.pem
sslKeysfilePassword = xxxxx
sslPassword = xxxxxx

cipherSuite = TLSv1.2:!eNULL:!aNULL
sslVersions = tls1.2,-ssl2, -ssl3
sslVersionsForClient = tls1.2,-ssl2, -ssl3
allowSslCompression = false
0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Despite having a web.conf in the splunkUniversalForwarder app, that is for port 8000, so for a UF you won't need to worry there.

Did you set sslVersionsForClient on the forwarders themselves? Or only on the DS?

Your DS will be accepting incoming connections form your forwarders. It will enforce ssl version using the sslVersions config.

The forwarder is making outbound calls on 8089 and should be using the sslVersionForClient.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Serverconf

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support for incoming connections.
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer.
* If a version is prefixed with "-" it is removed from the list.
* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing.
* When configured in FIPS mode, ssl3 is always disabled regardless
  of this configuration.
* Defaults to "*,-ssl2" (anything newer than SSLv2).

sslVersionsForClient = <versions_list>
* Comma-separated list of SSL versions to support for outgoing HTTP connections
  from splunkd.  This includes distributed search, deployment client, etc.
* This is usually less critical, since SSL/TLS will always pick the highest
  version both sides support.  However, this can be used to prohibit making
  connections to remote servers that only support older protocols.
* The syntax is the same as the sslVersions setting above
* Note that for forwarder connections, there is a separate "sslVersions"
  setting in outputs.conf.  For connections to SAML servers, there is a
  separate "sslVersions" setting in authentication.conf.
* Defaults to "*,-ssl2" (anything newer than SSLv2).

supportSSLV3Only = <bool>
* DEPRECATED.  SSLv2 is now always disabled.  The exact set of SSL versions
  allowed is now configurable via the "sslVersions" setting above.

Maybe push an app for your SSL and cert related stuff to your fwds?

Oh, and be advised, sslVersions came in 6.2, while sslVersionsForClient came in 6.4

- MattyMo

View solution in original post

0 Karma

johnpof
Path Finder

Added these lines to server.conf on my forwarders and that fixed the communication, I think pushing the app would do the same job at scale. Works!

cipherSuite = TLSv1.2:!eNULL:!aNULL
sslVersions = tls1.2,-ssl2, -ssl3
sslVersionsForClient = tls1.2,-ssl2, -ssl3
allowSslCompression = false

mattymo
Splunk Employee
Splunk Employee

Despite having a web.conf in the splunkUniversalForwarder app, that is for port 8000, so for a UF you won't need to worry there.

Did you set sslVersionsForClient on the forwarders themselves? Or only on the DS?

Your DS will be accepting incoming connections form your forwarders. It will enforce ssl version using the sslVersions config.

The forwarder is making outbound calls on 8089 and should be using the sslVersionForClient.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Serverconf

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support for incoming connections.
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer.
* If a version is prefixed with "-" it is removed from the list.
* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing.
* When configured in FIPS mode, ssl3 is always disabled regardless
  of this configuration.
* Defaults to "*,-ssl2" (anything newer than SSLv2).

sslVersionsForClient = <versions_list>
* Comma-separated list of SSL versions to support for outgoing HTTP connections
  from splunkd.  This includes distributed search, deployment client, etc.
* This is usually less critical, since SSL/TLS will always pick the highest
  version both sides support.  However, this can be used to prohibit making
  connections to remote servers that only support older protocols.
* The syntax is the same as the sslVersions setting above
* Note that for forwarder connections, there is a separate "sslVersions"
  setting in outputs.conf.  For connections to SAML servers, there is a
  separate "sslVersions" setting in authentication.conf.
* Defaults to "*,-ssl2" (anything newer than SSLv2).

supportSSLV3Only = <bool>
* DEPRECATED.  SSLv2 is now always disabled.  The exact set of SSL versions
  allowed is now configurable via the "sslVersions" setting above.

Maybe push an app for your SSL and cert related stuff to your fwds?

Oh, and be advised, sslVersions came in 6.2, while sslVersionsForClient came in 6.4

- MattyMo
0 Karma

johnpof
Path Finder

I don't believe i've set sslVersionsForClient anywhere on the forwarders, I have barely touched them in years but made many upgrades/changes on my servers (in this case it's 100% set on my DS)

it does seem like I need to set sslVersionsForClient on the the forwarders but where? server.conf? that's the hard part as there are so many conf files. Also my errors logs are clean on the client side so it's difficult narrowing it down

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...