About TLS encryption and cipher suites
Starting in version 10.4.0, Splunk Enterprise supports both Transport Layer Security (TLS) versions 1.2 and 1.3 by default. The default sslVersions setting for Splunk configuration files changes from tls1.2 to tls1.2,tls1.3. TLS 1.3 uses a distinct set of cipher suites that you configure separately from TLS 1.2 cipher suites.
The following sections list the default TLS protocol versions and cipher suites for the most commonly used Splunk configuration files with TLS settings. These defaults apply to Splunk Enterprise version 10.4.0 and higher.
deprecatedTlsVersionSupport = true in the [sslConfig] stanza of the server.conf configuration file. Turning on deprecatedTlsVersionSupport causes Splunk Enterprise to emit a warning in splunkd.log.
alert_actions.conf
sslVersions = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1The cipherSuite setting controls TLS 1.2 cipher suites. TLS 1.3 cipher suites are configured in the [tls1.3] stanza of the server.conf configuration file and apply globally across all components on the instance.
inputs.conf
sslVersions = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1The cipherSuite setting controls TLS 1.2 cipher suites. TLS 1.3 cipher suites are configured in the [tls1.3] stanza of the server.conf configuration file.
outputs.conf
sslVersions = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1The cipherSuite setting controls TLS 1.2 cipher suites. TLS 1.3 cipher suites are configured in the [tls1.3] stanza of the server.conf configuration file. The useClientSSLCompression setting has no effect for TLS 1.3 connections because TLS 1.3 does not support SSL compression.
server.conf
[sslConfig]
sslVersions = tls1.2,tls1.3
sslVersionsForClient = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
[tls1.3]
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1The [sslConfig] stanza controls TLS 1.2 settings. The [tls1.3] stanza, available starting in version 10.4.0, controls settings specific to TLS 1.3 connections globally across all Splunk platform clients and servers on the instance — unlike TLS 1.2 settings, which you configure per network interface. TLS 1.3 uses a different cipher suite format and API than TLS 1.2 — the cipherSuite setting in [tls1.3] accepts only TLS 1.3 cipher suite names and does not accept TLS 1.2 cipher suite names. The ecdhCurves setting in [sslConfig] controls key exchange curves for TLS 1.2 connections. For TLS 1.3 connections, the equivalent setting is groups in the [tls1.3] stanza.
TLS_CHACHA20_POLY1305_SHA256 from the cipherSuite value in the [tls1.3] stanza. Only AES-GCM cipher suites and the secp384r1 and secp256r1 curves are FIPS 140-3 approved.
applicationsManagement
sslVersions = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1The cipherSuite setting controls TLS 1.2 cipher suites. TLS 1.3 cipher suites are configured in the [tls1.3] stanza of the server.conf configuration file.
web.conf
sslVersions = tls1.2,tls1.3
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1The cipherSuite setting controls TLS 1.2 cipher suites. TLS 1.3 cipher suites are configured in the [tls1.3] stanza of the server.conf configuration file.
ldap.conf
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256The ldap.conf configuration file uses TLS_PROTOCOL_MIN to set the minimum TLS version for LDAP connections. The numeric values correspond to TLS protocol versions as follows:
| TLS_PROTOCOL_MIN value | TLS version |
|---|---|
| 3.3 | TLS 1.2 |
| 3.4 | TLS 1.3 |
To set TLS 1.3 as the minimum protocol version for LDAP connections, set TLS_PROTOCOL_MIN to 3.4. This requires an OpenLDAP version that supports TLS 1.3. To accept both TLS 1.2 and TLS 1.3, keep TLS_PROTOCOL_MIN at 3.3.
TLS_PROTOCOL_MIN lower than 3.3.