Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

huister
New Member
‎08-17-2016 03:46 PM

Has anyone been able to get Splunk Web to work with TLS1.2 AND Firefox?

I know the web.conf needs to have

enableSplunkWebSSL = true
sslVersions = tls1.2

and I need to remove the supportSSLV3Only flag

I am able to get it to work with Chrome and IE with either one of these 2 cipherSuites in web.conf, but NOT Firefox.

cipherSuite = TLSv1.2+HIGH

OR

cipherSuite = TLSv1.2:!eNULL:!aNULL

The article from this Splunk blog mentions the Firefox problem, but doesn't mention a fix
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/

The error I get in the Firefox browser is

SSL_ERROR_NO_CYPHER_OVERLAP
0 Karma
Reply

kuja
Splunk Employee
Splunk Employee
‎05-09-2017 12:56 PM

Anyone able to confirm that this works? I have had trouble getting it to work

0 Karma
Reply

andrewpeek
New Member
‎11-05-2016 08:45 AM

Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.

Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256        Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256          Forward Secrecy   128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  Forward Secrecy   256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384        Forward Secrecy   256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384          Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA           Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA           Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA             Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA             Forward Secrecy   256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA               Forward Secrecy   128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA               Forward Secrecy   256
TLS_RSA_WITH_AES_128_CBC_SHA                                     128
TLS_RSA_WITH_AES_256_CBC_SHA                                     256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                                    112

Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,

(key: RSA)  RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA
(key: RSA)  RSA_WITH_AES_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA256
(key: RSA)  RSA_WITH_AES_256_CBC_SHA256
(key: RSA)  RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA)  RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_GCM_SHA256
(key: RSA)  RSA_WITH_AES_256_GCM_SHA384

The only compatible ciphers are,
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,

 (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA
 (key: none)  ECDH_anon_WITH_3DES_EDE_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_128_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_GCM_SHA384

In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,

cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384

Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.

HTH
Andrew

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...