Yes, SplunkWeb with sslVersions=tls1.2 works with Firefox49 when using a custom self signed certificate with RSA2048 + SHA256 + extendedKeyUsage=serverAuth.
Firefox cipher selection is restrictive, many require ECDSA certificate, see https://wiki.mozilla.org/Security/Server_Side_TLS. Using https://www.ssllabs.com/ssltest/viewMyClient.html against Firefox49, the client supported ciphers are,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
Using TestSSLServer4 (http://www.bolet.org/TestSSLServer/) against SplunkWeb,
(key: RSA) RSA_WITH_3DES_EDE_CBC_SHA
(key: RSA) RSA_WITH_AES_128_CBC_SHA
(key: RSA) RSA_WITH_AES_256_CBC_SHA
(key: RSA) RSA_WITH_AES_128_CBC_SHA256
(key: RSA) RSA_WITH_AES_256_CBC_SHA256
(key: RSA) RSA_WITH_CAMELLIA_128_CBC_SHA
(key: RSA) RSA_WITH_CAMELLIA_256_CBC_SHA
(key: RSA) RSA_WITH_AES_128_GCM_SHA256
(key: RSA) RSA_WITH_AES_256_GCM_SHA384
The only compatible ciphers are,
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
If you also want Forward Secrecy then install an ECDSA certificate with say curve prime256v1 (P-256). Add to web.conf ecdhCurves=prime256v1. Re-running TestSSLServer4 against SplunkWeb,
(key: EC) ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA
(key: EC) ECDH_RSA_WITH_3DES_EDE_CBC_SHA
(key: EC) ECDH_RSA_WITH_AES_128_CBC_SHA
(key: EC) ECDH_RSA_WITH_AES_256_CBC_SHA
(key: none) ECDH_anon_WITH_3DES_EDE_CBC_SHA
(key: none) ECDH_anon_WITH_AES_128_CBC_SHA
(key: none) ECDH_anon_WITH_AES_256_CBC_SHA
(key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
(key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(key: EC) ECDH_RSA_WITH_AES_128_CBC_SHA256
(key: EC) ECDH_RSA_WITH_AES_256_CBC_SHA384
(key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(key: EC) ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(key: EC) ECDH_RSA_WITH_AES_128_GCM_SHA256
(key: EC) ECDH_RSA_WITH_AES_256_GCM_SHA384
In my installation I have then restricted SplunkWeb ciphers to the ones supported by Firefox49,
cipherSuite=ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384
Note: I have only tested Firefox compatibility, make your own tests for Chrome, IE etc. Compatible ciphers will likely change with different versions of Firefox and OpenSSL (Splunk 6.5.0 is openssl-1.0.2h-fips) therefore cipherSuite may need to be adjusted over time.
HTH
Andrew
... View more