If a Splunk forwarder is configured with the default TLS/SSL settings in the various .conf files as below, and the indexer/intermediate-forwarder is configured with the various .conf files as below, will the Universal Forwarder be forced to auto-negotiate the TLS version and cipher suite based on the limited TLS version and cipher suites available in the indexer/intermediate-forwarders settings?
Also, does the inputs.conf or server.conf SSL/CipherSuite configurations on the Indexer/Intermediate-forwarder control the version/cipher that is used for accepting data from the Universal Forwarders?
Universal Forwarder’s Configs:
outputs.conf:
[tcpout:my_group]
sslVersions = *,-ssl2
server.conf
[sslConfig]
sslVersions = *,-ssl2
Indexer/Intermediate-Forwarder’s Configs:
inputs.conf
[SSL]
sslVersions = *,-tls1.1,-tls1.0,-sslv3,-sslv2
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
server.conf
[sslConfig]
cipherSuite = TLSv1.2:!eNULL:!aNULL
sslVersions = *,-tls1.1,-tls1.0,-sslv3,-sslv2
↧