https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263355#M7209 <P>Hi @ekremikizoglu,</P> <P>This is a rather rare error - it basically indicates a symmetric decryption failure. Do you happen to know what TLS version/cipher suite is been negotiated? (you can use Stream to track it by capturing tcp traffic and enabling <CODE>ssl_cipher_name</CODE> and/or <CODE>ssl_cipher_id</CODE> fields)</P> Wed, 19 Oct 2016 02:29:15 GMT vshcherbakov_sp 2016-10-19T02:29:15Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263354#M7208 <P>Hi, </P> <P>I am testing "App For Stream" App(6.6.1) to capture https traffics. I added pem file to keystore.db as descr. belowlink <BR /> <A href="http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder">http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder</A> </P> <P>But i am getting errors in streamfwd.log. (DSSL library error code -41) </P> <P>Error line: <BR /> 2016-10-17 17:37:02 WARN <A href="PacketProcessor.cpp:515">11592</A> stream.SnifferReactor - SSL decryption error (DSSL library error code -41) (ssl) [c=yyyyyyy:61914, s=xxxxxx:8282]</P> <P>Anyone can help me?</P> <P>Thanks</P> Tue, 18 Oct 2016 11:45:27 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263354#M7208 ekremikizoglu 2016-10-18T11:45:27Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263355#M7209 <P>Hi @ekremikizoglu,</P> <P>This is a rather rare error - it basically indicates a symmetric decryption failure. Do you happen to know what TLS version/cipher suite is been negotiated? (you can use Stream to track it by capturing tcp traffic and enabling <CODE>ssl_cipher_name</CODE> and/or <CODE>ssl_cipher_id</CODE> fields)</P> Wed, 19 Oct 2016 02:29:15 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263355#M7209 vshcherbakov_sp 2016-10-19T02:29:15Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263356#M7210 <P>Hi,</P> <P>I generated this certificate on iis server ,Self signed TLS1.2 RSA AES_256_GCM, for testing decription feature of stream app. I published website and enable ssl communication. Then i installed splunk to capture https traffic. But i got the error. </P> Tue, 29 Sep 2020 11:36:23 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263356#M7210 ekremikizoglu 2020-09-29T11:36:23Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263357#M7211 <P>Hi,</P> <P>The issue appears to be caused by the Extended Master Secret Key extension (<A href="https://tools.ietf.org/html/rfc7627">https://tools.ietf.org/html/rfc7627</A>) being negotiated between the client and the server. Stream currently doesn't support this extension, so the workaround would be to turn it off on the server side.</P> <P>Thanks.</P> Tue, 29 Nov 2016 08:27:56 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-error-DSSL-library-error-code-41/m-p/263357#M7211 ekremikizoglu 2016-11-29T08:27:56Z