Has anyone been able to get Splunk Web to work with TLS1.2 AND Firefox?
I know the web.conf needs to have
enableSplunkWebSSL = true
sslVersions = tls1.2
and I need to remove the supportSSLV3Only flag
I am able to get it to work with Chrome and IE with either one of these 2 cipherSuites in web.conf, but NOT Firefox.
cipherSuite = TLSv1.2+HIGH
OR
cipherSuite = TLSv1.2:!eNULL:!aNULL
The article from this Splunk blog mentions the Firefox problem, but doesn't mention a fix
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/
The error I get in the Firefox browser is
SSL_ERROR_NO_CYPHER_OVERLAP
Anyone able to confirm that this works? I have had trouble getting it to work
Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.
Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,
(key: RSA) RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA) RSA_WITH_AES_128_CBC_SHA
(key: RSA) RSA_WITH_AES_256_CBC_SHA
(key: RSA) RSA_WITH_AES_128_CBC_SHA256
(key: RSA) RSA_WITH_AES_256_CBC_SHA256
(key: RSA) RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA) RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA) RSA_WITH_AES_128_GCM_SHA256
(key: RSA) RSA_WITH_AES_256_GCM_SHA384
The only compatible ciphers are,
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,
(key: EC) ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA
(key: EC) ECDH_RSA_WITH_3DES_EDE_CBC_SHA
(key: EC) ECDH_RSA_WITH_AES_128_CBC_SHA
(key: EC) ECDH_RSA_WITH_AES_256_CBC_SHA
(key: none) ECDH_anon_WITH_3DES_EDE_CBC_SHA
(key: none) ECDH_anon_WITH_AES_128_CBC_SHA
(key: none) ECDH_anon_WITH_AES_256_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
(key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(key: EC) ECDH_RSA_WITH_AES_128_CBC_SHA256
(key: EC) ECDH_RSA_WITH_AES_256_CBC_SHA384
(key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(key: EC) ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(key: EC) ECDH_RSA_WITH_AES_128_GCM_SHA256
(key: EC) ECDH_RSA_WITH_AES_256_GCM_SHA384
In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,
cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384
Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.
HTH
Andrew