About TLS encryption and cipher suites
In version 6.6 and higher, Splunk Enterprise provides the following default cipher suites and TLS encryption.
alert_actions.conf
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Windows Server 2008 R2. To add support for Windows Server 2008 R2:
1. Set sslVersions to tls
2. Add the following ciphers to the end of the existing cipherSuite:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES128-SHA
To enable TLS 1.2 support on Windows Server 2008 R2:
1. Add key to the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server2. In the TLS 1.2\Server key, create the following:
DWORD (32-bit) Value – DisabledByDefault; set to 0
DWORD (32-bit) Value – Enabled; set to 13. Restart Windows
See: https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS12 for more information.
inputs.conf
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Splunk 5.x. To add support for Splunk 5.x:
1. Set sslVersions = tls
2. Add the following ciphers to the end of the existing cipherSuite:
DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:
AES256-SHA:AES128-SHAoutputs.conf
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Splunk 5.x. To add support for Splunk 5.x:
1. Set sslVersions to tls
2. Add the following ciphers to the end of the existing cipherSuite:
DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:
AES256-SHA:AES128-SHAserver.conf
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Splunk 5.x. To add support for Splunk 5.x:
1. Set sslVersions = tls
2. Set sslVersionsForClient = tls
3. Append AES256-SHA to the existing cipherSuite.
applicationsManagement
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Splunk 5.x. To add support for Splunk 5.x:
1. Set sslVersions = tls
2. Add the following ciphers to the end of the existing cipherSuite:
DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:
AES256-SHA:AES128-SHAweb.conf
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
This configuration does not support Windows Vista. To add support for Windows Vista:
1. Set sslVersions = tls
2. Add the following ciphers to the existing cipherSuite:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES128-SHAldap.conf
TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2.
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256
This configuration does not support Windows Server 2008 R2. To add support for Windows Server 2008 R2:
1. Set TLS_PROTOCOL_MIN = TLS1.0/SSL3.1
2. Add the following ciphers to the existing TLS_CIPHER_SUITE:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES128-SHA
To enable TLS 1.2 support on Windows Server 2008 R2:
1. Add key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server2. In the TLS 1.2\Server key, create the following:
DWORD (32-bit) Value – DisabledByDefault; set to 0
DWORD (32-bit) Value – Enabled; set to 13. Restart Windows. See: https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS12 for more information.