Security
Highlighted

Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

New Member

Has anyone been able to get Splunk Web to work with TLS1.2 AND Firefox?

I know the web.conf needs to have

enableSplunkWebSSL = true
sslVersions = tls1.2

and I need to remove the supportSSLV3Only flag

I am able to get it to work with Chrome and IE with either one of these 2 cipherSuites in web.conf, but NOT Firefox.

cipherSuite = TLSv1.2+HIGH

OR

cipherSuite = TLSv1.2:!eNULL:!aNULL

The article from this Splunk blog mentions the Firefox problem, but doesn't mention a fix
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/

The error I get in the Firefox browser is

SSL_ERROR_NO_CYPHER_OVERLAP
0 Karma
Highlighted

Re: Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

New Member

Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.

Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256        Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256          Forward Secrecy   128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  Forward Secrecy   256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384        Forward Secrecy   256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384          Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA           Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA           Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA             Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA             Forward Secrecy   256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA               Forward Secrecy   128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA               Forward Secrecy   256
TLS_RSA_WITH_AES_128_CBC_SHA                                     128
TLS_RSA_WITH_AES_256_CBC_SHA                                     256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                                    112

Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,

(key: RSA)  RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA
(key: RSA)  RSA_WITH_AES_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA256
(key: RSA)  RSA_WITH_AES_256_CBC_SHA256
(key: RSA)  RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA)  RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_GCM_SHA256
(key: RSA)  RSA_WITH_AES_256_GCM_SHA384

The only compatible ciphers are,
TLSRSAWITHAES128CBCSHA
TLSRSAWITHAES256CBCSHA
TLSRSAWITH3DESEDECBCSHA

If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,

 (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA
 (key: none)  ECDH_anon_WITH_3DES_EDE_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_128_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_GCM_SHA384

In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,

cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384

Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.

HTH
Andrew

0 Karma
Highlighted

Re: Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

Splunk Employee
Splunk Employee

Anyone able to confirm that this works? I have had trouble getting it to work

0 Karma