Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone been able to get Splunk Web with TLS1.2 and Firefox?

huister
New Member
‎08-17-2016 03:46 PM

Has anyone been able to get Splunk Web to work with TLS1.2 AND Firefox?

I know the web.conf needs to have

enableSplunkWebSSL = true
sslVersions = tls1.2

and I need to remove the supportSSLV3Only flag

I am able to get it to work with Chrome and IE with either one of these 2 cipherSuites in web.conf, but NOT Firefox.

cipherSuite = TLSv1.2+HIGH

OR

cipherSuite = TLSv1.2:!eNULL:!aNULL

The article from this Splunk blog mentions the Firefox problem, but doesn't mention a fix
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/

The error I get in the Firefox browser is

SSL_ERROR_NO_CYPHER_OVERLAP
0 Karma
Reply

kuja
Splunk Employee
Splunk Employee
‎05-09-2017 12:56 PM

Anyone able to confirm that this works? I have had trouble getting it to work

0 Karma
Reply

andrewpeek
New Member
‎11-05-2016 08:45 AM

Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.

Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256        Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256          Forward Secrecy   128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  Forward Secrecy   256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384        Forward Secrecy   256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384          Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA           Forward Secrecy   256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA           Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA             Forward Secrecy   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA             Forward Secrecy   256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA               Forward Secrecy   128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA               Forward Secrecy   256
TLS_RSA_WITH_AES_128_CBC_SHA                                     128
TLS_RSA_WITH_AES_256_CBC_SHA                                     256
TLS_RSA_WITH_3DES_EDE_CBC_SHA                                    112

Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,

(key: RSA)  RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA
(key: RSA)  RSA_WITH_AES_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_CBC_SHA256
(key: RSA)  RSA_WITH_AES_256_CBC_SHA256
(key: RSA)  RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA)  RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA)  RSA_WITH_AES_128_GCM_SHA256
(key: RSA)  RSA_WITH_AES_256_GCM_SHA384

The only compatible ciphers are,
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,

 (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_3DES_EDE_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA
 (key: none)  ECDH_anon_WITH_3DES_EDE_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_128_CBC_SHA
 (key: none)  ECDH_anon_WITH_AES_256_CBC_SHA
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_CBC_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_CBC_SHA384
 (key:   EC)  ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 (key:   EC)  ECDH_RSA_WITH_AES_128_GCM_SHA256
 (key:   EC)  ECDH_RSA_WITH_AES_256_GCM_SHA384

In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,

cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384

Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.

HTH
Andrew

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...