Solved: Does Splunk App for Stream support decrypting TLS ...

heath · ‎11-26-2014

I'm testing the Splunk App for Stream v6.1.0 with HTTP data and it seems to only support decrypting SSLv3 connections. As soon as I switch the SSLProtocol in Apache from SSLv3 to TLSv1.2 no data is captured. Chrome is throwing warnings for SSLv3 connections so I can't leave Apache set at SSLv3.

mdickey_splunk · ‎12-01-2014

App for Stream does support TLS 1.0, 1.1 and 1.2; however, not all ciphers are supported. In particular, only ciphers using RSA based key exchanges (not ephemeral) are supported. For Apache, you can disable ephemeral ciphers using:

SSLCipherSuite ALL:!ADH:!EDH:!EXP:!NULL

View solution in original post

mdickey_splunk · ‎12-01-2014

App for Stream does support TLS 1.0, 1.1 and 1.2; however, not all ciphers are supported. In particular, only ciphers using RSA based key exchanges (not ephemeral) are supported. For Apache, you can disable ephemeral ciphers using:

SSLCipherSuite ALL:!ADH:!EDH:!EXP:!NULL

heath · ‎12-01-2014

Thanks. I had to update the line to include !ECDH.

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!ADH:!EDH:!EXP:!NULL:!ECDH

Does Splunk App for Stream support decrypting TLS connections?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...