Configure TLS protocol version support for secure connections between Splunk platform instances

You configure TLS protocol version support using the sslVersions setting in various configuration files. You can restrict the Splunk platform to specific protocol versions, or you can turn on multiple versions simultaneously. Both the instance that initiates a connection and the instance that receives it must support the same protocol versions. You must configure the sslVersions setting in a configuration file. You cannot perform this configuration in Splunk Web.

Supported SSL and TLS protocol versions

The Splunk platform supports the following Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol versions:

Protocol version Status Notes
SSLv3 Not supported Support removed in version 10.4.0 of Splunk Enterprise and version 10.4.2604.0 of Splunk Cloud Platform. Do not use this version.
TLS 1.0 Turned off by default Turned off by default in version 10.4.0 and higher of Splunk Enterprise and version 10.4.2604.0 and higher of Splunk Cloud Platform. Existing configuration values for this protocol version are ignored. To turn on support for this version for legacy system compatibility only, set deprecatedTlsVersionSupport = "true" in the [sslConfig] stanza of the server.conf configuration file.
TLS 1.1 Turned off by default Turned off by default in version 10.4.0 and higher of Splunk Enterprise and version 10.4.2604.0 and higher of Splunk Cloud Platform. Existing configuration values for this protocol version are ignored. To turn on support for this version for legacy system compatibility only, set deprecatedTlsVersionSupport = "true" in the [sslConfig] stanza of the server.conf configuration file.
TLS 1.2 Supported Default protocol version for Splunk platform deployments at version 9.x and lower. Active alongside version 1.3 of the TLS protocol by default at version 10.4.0 and higher.
TLS 1.3 Supported Version 1.3 of the TLS protocol is available starting in Splunk Enterprise version 10.4.0 and Splunk Cloud Platform version 10.4.2604.0. Active alongside TLS 1.2 by default when you upgrade to version 10.4.0 or higher, or install a new instance at that version.
Note: In deployments that include instances at version 9.x alongside instances at version 10.4.0 or higher, the two sides negotiate TLS 1.2 because version 9.x instances do not support TLS 1.3. To restrict a deployment to TLS 1.3 only, all instances must run version 10.4.0 or higher.

At version 10.4.0 and higher, sslVersions = "tls" includes TLS 1.3. At version 9.x and lower, the same setting includes only TLS 1.0, TLS 1.1, and TLS 1.2. To revert to TLS 1.2 only after upgrading to version 10.4.0 or higher, set sslVersions = "tls1.2" in the applicable configuration files. You can also use sslVersions = "-tls1.3" to exclude TLS 1.3 while keeping the TLS wildcard, but setting an explicit version list such as tls1.2 is the preferred approach.

Configure TLS protocol version support with the sslVersions setting

The sslVersions setting controls the TLS protocols that each Splunk platform instance uses to connect to other Splunk platform instances securely. The syntax for configuring the setting follows:

To do this Use this syntax Example
Turn on a single protocol version sslVersions=<protocol> sslVersions=tls1.2
Turn on TLS 1.3 only sslVersions=tls1.3 sslVersions=tls1.3
Turn on TLS 1.2 and TLS 1.3 (the default in version 10.4.0) sslVersions=tls1.2,tls1.3 sslVersions=tls1.2,tls1.3
Turn off a single protocol version sslVersions=-<protocol> sslVersions=-tls1.0
Turn off TLS 1.3 and revert to TLS 1.2 only sslVersions=-tls1.3 sslVersions=-tls1.3
Turn on multiple protocol versions sslVersions=<protocol>,<protocol>,... sslVersions=tls1.1,tls1.2
Turn on some versions and turn off others at the same time sslVersions=<protocol>,-<protocol>,... sslVersions=tls1.2,tls1.3
Turn on all supported protocol versions sslVersions=*
Turn on all but one protocol version sslVersions=*,-<protocol> sslVersions=*,-tls1.3
Turn on all supported TLS versions sslVersions=tls
Note: Older versions of Splunk Enterprise and the universal forwarder might not support newer versions of TLS protocols, and vice versa. Each instance in a network connection must support the protocol version you choose for secure connections between those instances to succeed. Confirm that both the connecting instance and the receiving instance support the protocol you want, and that you set the sslVersions setting on each instance to a value that both instances can use. If you turn on FIPS mode on an instance, that instance does not use the SSL protocol versions at all, even if you specify them explicitly.

Where you configure the sslVersions setting depends on the kind of communication that the Splunk platform instances are performing. The following table shows which configuration file controls sslVersions for each component:

Component Configuration file Notes
Splunk Web web.conf Configure under the [settings] stanza of the web.conf configuration file.
Universal forwarder or heavy forwarder (Splunk-to-Splunk) inputs.conf Configure under the [SSL] stanza or other applicable stanzas of the inputs.conf configuration file. See the inputs.conf specification file for the full list of stanzas that support this setting.
Indexer server.conf Configure under the [sslConfig] stanza of the server.conf configuration file. See the server.conf specification file for the full list of stanzas that support this setting.
HTTP Event Collector (HEC) inputs.conf Configure under the [http] stanza in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf.
splunkd acting as a client server.conf Use sslVersionsForClient when splunkd acts as a client — for example, as a deployment client connecting to a deployment server, or as a cluster member. In clustering configurations, set sslVersionsForClient on each cluster member to match the sslVersions value on the cluster manager, so that inter-node replication connections negotiate the correct TLS version. The instance receiving the connection must also be configured to listen over TLS. See the server.conf specification file for details on sslVersionsForClient and enableSplunkdSSL.
  1. Identify the configuration file to edit based on the Splunk component you are configuring.
  2. Open the configuration file in a text editor.
  3. Add or update the sslVersions setting with the values for the protocol versions you want to support or turn off.
  4. Save the configuration file.
  5. Restart the Splunk platform instance for the changes to take effect.
    Note: If you are updating only the [tls1.3] stanza in the server.conf file, you can reload HTTP server channels without a full restart.

Turn on support for older TLS versions with deprecatedTlsVersionSupport

Starting in version 10.4.0, Splunk Enterprise turns off support for TLS 1.0 and TLS 1.1 by default. To turn on those versions again — for example, when connecting to a legacy system that cannot be upgraded — set deprecatedTlsVersionSupport = "true" in the [sslConfig] stanza of the server.conf configuration file. The same setting applies to Splunk Cloud Platform version 10.4.2604.0 and higher. Turning on deprecatedTlsVersionSupport causes Splunk Enterprise to emit a warning in splunkd.log.

CAUTION: Turning on deprecatedTlsVersionSupport restores support for TLS versions with known security vulnerabilities. Use this setting only as a temporary measure while you upgrade legacy systems to TLS 1.2 or TLS 1.3.
Setting Default Description
deprecatedTlsVersionSupport false A value of "true" turns on support for TLS 1.0 and TLS 1.1. Configure this setting in the [sslConfig] stanza of the server.conf file. Requires a restart to take effect.
Note: Splunk Enterprise warns you if you use deprecated protocols.

Configure TLS 1.3 settings with the [tls1.3] stanza

Starting in version 10.4.0, the server.conf configuration file includes a dedicated [tls1.3] stanza for settings that apply specifically to TLS 1.3 connections. Use this stanza to customize the cipher suites and key exchange curves that the Splunk platform uses for TLS 1.3. Settings in the [sslConfig] stanza continue to apply to TLS 1.2 connections and are not affected by the [tls1.3] stanza.

The Splunk platform reads the [tls1.3] stanza only when sslVersions includes "tls1.3". When sslVersions is set to "tls1.2" only, the Splunk platform ignores the [tls1.3] stanza entirely. When the stanza is absent or its settings are empty, the Splunk platform uses the OpenSSL library defaults for TLS 1.3.

Note: The [tls1.3] stanza exists only in the server.conf file. It has global scope and does not support per-component overrides. All Splunk platform clients and servers on a given instance share this single stanza.

The [tls1.3] stanza in server.conf supports the following settings:

Setting Description Default value
cipherSuite The TLS 1.3 cipher suites that the Splunk platform accepts for TLS 1.3 connections. Separate multiple cipher suites with a colon (:). TLS 1.3 uses a different cipher suite format than TLS 1.2, and accepts only TLS 1.3 cipher suite names. For the current default value, see the cipherSuite setting in $SPLUNK_HOME/etc/system/default/server.conf. TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups The key exchange groups that the Splunk platform uses for TLS 1.3 connections. The allowed classical groups are: X25519, X448, secp256r1 (also known as prime256v1), secp384r1, and secp521r1. Post-quantum hybrid groups are also supported: MLKEM512, MLKEM768, MLKEM1024, X25519MLKEM768, and SecP256r1MLKEM768. Separate multiple values with a comma. For the current default value, see the groups setting in $SPLUNK_HOME/etc/system/default/server.conf. prime256v1, secp384r1, secp521r1

Reload behavior for the [tls1.3] stanza

When you update settings in the [tls1.3] stanza, the scope of the reload depends on whether you are reloading server channels or applying the change to client paths:

  • HTTP server channels: You can apply [tls1.3] stanza changes to HTTP server channels without a full restart. After saving the updated stanza, reload each HTTP server channel individually. Any channel you do not reload continues to use the previous [tls1.3] configuration until you reload it or restart the instance.
  • Client paths: Client paths do not support reload for [tls1.3] changes. Restart the Splunk Enterprise instance to apply updated [tls1.3] settings to client paths. The REST API _reload action operates at the conf-server level and does not support reloading the [tls1.3] stanza in isolation.
CAUTION: When you update the [tls1.3] stanza, reload every HTTP server channel to ensure consistent TLS 1.3 behavior across the instance. Channels that you skip retain the previous TLS 1.3 configuration and might negotiate different cipher suites or key exchange groups than newly reloaded channels.

Settings that do not apply to TLS 1.3

TLS 1.3 replaces several TLS 1.2 mechanisms with stronger built-in controls. The following settings have no effect when you configure the Splunk platform to use TLS 1.3 only, and are not applicable to TLS 1.3 connections:

Setting Configuration file Reason
dhFile inputs.conf, web.conf TLS 1.3 does not use Diffie-Hellman (DH) parameter files.
allowSslCompression inputs.conf, outputs.conf, web.conf TLS 1.3 does not support SSL compression.
allowSslRenegotiation inputs.conf, outputs.conf, web.conf TLS 1.3 does not support renegotiation.
useClientSSLCompression outputs.conf TLS 1.3 does not support SSL compression.

Examples for configuring TLS protocol versions

The following examples show how to configure TLS protocol versions for common Splunk platform communication scenarios.

Example 1: Configure a forwarder and indexer to communicate over TLS 1.2

When you want a universal forwarder and an indexer to use TLS 1.2 for Splunk-to-Splunk (S2S) communication, apply the following configuration to both instances. Both sides must specify the same protocol version.

  1. On the forwarder, open the $SPLUNK_HOME/etc/system/local/inputs.conf configuration file.
  2. Add the following settings to the [SSL] stanza:
    CODE 
    [SSL]
sslVersions = tls1.2
  3. On the indexer, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file.
  4. Add the following settings to the [sslConfig] stanza:
    CODE 
    [sslConfig]
sslVersions = tls1.2
enableSplunkdSSL = true
  5. Restart both the forwarder and the indexer.

Example 2: Configure a Splunk agent and agent management to accept all TLS versions

When you want a Splunk agent and its agent management instance to negotiate any available TLS version, set sslVersions = "tls" on both sides. Starting in version 10.4.0, this setting includes TLS 1.3.

  1. On the agent instance, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file.
  2. Add the following setting to the [sslConfig] stanza:
    CODE 
    [sslConfig]
sslVersionsForClient = tls
  3. On the agent management instance, open the $SPLUNK_HOME/etc/system/local/server.conf file.
  4. Add the following settings to the [sslConfig] stanza:
    CODE 
    [sslConfig]
sslVersions = tls
enableSplunkdSSL = true
  5. Restart both instances.
Note: Splunk Enterprise warns you if you use deprecated protocols.

Example 3: Configure a forwarder and indexer to accept TLS 1.2 and TLS 1.3

When you have forwarders and indexers that run version 10.4.0 or higher, configure both instances to accept TLS 1.2 and TLS 1.3. This configuration lets both protocol versions operate simultaneously, which preserves backward compatibility with any connecting instances that support only TLS 1.2 while allowing TLS 1.3 for those that support it. This is the default configuration for new version 10.4.0 installations.

  1. On the forwarder, open the $SPLUNK_HOME/etc/system/local/inputs.conf configuration file.
  2. Add the following settings to the [SSL] stanza:
    CODE 
    [SSL]
sslVersions = tls1.2,tls1.3
  3. On the indexer, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file.
  4. Add or update the following stanzas:
    CODE 
    [sslConfig]
sslVersions = tls1.2,tls1.3
enableSplunkdSSL = true

[tls1.3]
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1
  5. Restart both the forwarder and the indexer.

Example 4: Configure a forwarder and indexer to accept TLS 1.3 only

When all forwarders, indexers, and other connecting clients in your deployment run version 10.4.0 or higher and support TLS 1.3, you can restrict the deployment to TLS 1.3 only. Before applying this configuration, verify that no clients in your environment require TLS 1.2, because those clients lose connectivity after this change takes effect. Splunk Cloud Platform customers cannot apply this configuration directly — open a support case with Splunk instead.

CAUTION: Restricting any instance to TLS 1.3 only terminates connectivity with any client or system that does not support TLS 1.3. Verify full compatibility across your environment before applying this configuration.
  1. On the forwarder, open the $SPLUNK_HOME/etc/system/local/inputs.conf configuration file.
  2. Add the following setting to the [SSL] stanza:
    CODE 
    [SSL]
sslVersions = tls1.3
  3. On the indexer, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file.
  4. Add or update the following stanzas:
    CODE 
    [sslConfig]
sslVersions = tls1.3
enableSplunkdSSL = true

[tls1.3]
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1
  5. Restart both the forwarder and the indexer.
  6. Verify that the connection succeeds and that the TLS version in use is TLS 1.3 by reviewing $SPLUNK_HOME/var/log/splunk/splunkd.log for SSL handshake confirmation entries.

Example 5: Turn off TLS 1.3 after upgrading to version 10.4.0 or higher

When you upgrade an existing deployment to version 10.4.0 or higher, the Splunk platform turns on TLS 1.3 alongside TLS 1.2 by default. If your security policy requires TLS 1.2 only, explicitly turn off TLS 1.3 by adding the following configuration to each instance in your deployment.

  1. On the forwarder, open the $SPLUNK_HOME/etc/system/local/inputs.conf configuration file.
  2. Add the following setting to the [SSL] stanza:
    CODE 
    [SSL]
sslVersions = -tls1.3
  3. On the indexer, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file.
  4. Add the following setting to the [sslConfig] stanza:
    CODE 
    [sslConfig]
sslVersions = -tls1.3
enableSplunkdSSL = true
  5. Restart both instances.