Security

Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

huister
New Member

Has anyone been able to get Splunk Web to work with TLS1.2 AND Firefox?

I know the web.conf needs to have

enableSplunkWebSSL = true
sslVersions = tls1.2

and I need to remove the supportSSLV3Only flag

I am able to get it to work with Chrome and IE with either one of these 2 cipherSuites in web.conf, but NOT Firefox.

cipherSuite = TLSv1.2+HIGH

OR

cipherSuite = TLSv1.2:!eNULL:!aNULL

The article from this Splunk blog mentions the Firefox problem, but doesn't mention a fix
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/

The error I get in the Firefox browser is

SSL_ERROR_NO_CYPHER_OVERLAP
0 Karma

kuja
Splunk Employee
Splunk Employee

Anyone able to confirm that this works? I have had trouble getting it to work

0 Karma

andrewpeek
New Member

Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.

Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256        Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256          Forward Secrecy   128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  Forward Secrecy   256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384        Forward Secrecy   256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384          Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA           Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA           Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA             Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA             Forward Secrecy   256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA               Forward Secrecy   128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA               Forward Secrecy   256
TLS_RSA_WITH_AES_128_CBC_SHA                                     128
TLS_RSA_WITH_AES_256_CBC_SHA                                     256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                                    112

Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,

(key: RSA)  RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA
(key: RSA)  RSA_WITH_AES_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA256
(key: RSA)  RSA_WITH_AES_256_CBC_SHA256
(key: RSA)  RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA)  RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_GCM_SHA256
(key: RSA)  RSA_WITH_AES_256_GCM_SHA384

The only compatible ciphers are,
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,

 (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA
 (key: none)  ECDH_anon_WITH_3DES_EDE_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_128_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_GCM_SHA384

In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,

cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384

Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.

HTH
Andrew

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...