topic Re: SSL Configuration Error in Splunk Enterprise

SSL Configuration Error

BRFZ — Thu, 09 Jan 2025 10:39:27 GMT

Hello SplunkCommunity,

After configuring SSL, when I execute the following command:

openssl s_client -showcerts -connect host:port

I am encountering the following error:

803BEC33F07F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317:

Could anyone help me understand why I am seeing this error and assist me in resolving it?

Thank you in advance for your help.

Best regards,

Re: SSL Configuration Error

isoutamo — Thu, 09 Jan 2025 15:07:52 GMT

Have you try it with Splunk's openssl or OS's openssl?

You could/should try it with

splunk cmd openssl s_client -showcerts -connect host:port

Re: SSL Configuration Error

BRFZ — Thu, 09 Jan 2025 15:50:35 GMT

Hello,

In the first one I tested the OS's OpenSSL and with the command you mentioned, I get the following response: read:errno=0.

Re: SSL Configuration Error

isoutamo — Thu, 09 Jan 2025 20:07:35 GMT

Quite often OS openssl didn't work correctly as there could be some version conflicts and missing libraries etc. if your PATH and LD_LIBRARY_PATH is incorrectly set. For that reason I always use Splunk's openssl version.

Basically that means that you can read it, but for some reason it cannot get any real answer. Just read and response is OK (errno=0).

You could also try curl -vk https://host:port to try if this get more information?

I think that you have some issues with your TLS settings on your configuration.

Could you tell exactly what you have tied to achieve and what you have done?
Add also all those *.conf files inside </> blocks with masked **** passwords etc.

Have you look this instructions: https://conf.splunk.com/files/2023/slides/SEC1936B.pdf this presentation is excellent bootcamp for use TLS with Splunk.

Re: SSL Configuration Error

PickleRick — Thu, 09 Jan 2025 21:07:16 GMT

It looks as if the other end doesn't speak TLS.

Re: SSL Configuration Error

BRFZ — Fri, 10 Jan 2025 10:49:39 GMT

Hello,

I ran the following command: curl -vk https://host:port
and received this :

*   Trying host:port...
* Connected to host (host) port port (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.example.com
* start date: Feb 19 15:15:40 2024 GMT
* expire date: Jan 19 14:02:43 2025 GMT
* issuer: C=*; ST=*; L=*; O=SSL Corporation; CN=
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: host:port
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 6 Jan 2025 08:30:21 GMT
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 1994
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<?xml version="1.0" encoding="UTF-8"?>

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<title>splunkd</title>

<updated>2025-01-06T09:30:21+01:00</updated>
<generator build="d8bb32809498" version="9.3.2"/>
<author>
    <name>Splunk</name>
</author>
<entry>
    <title>services</title>

    <updated>1970-01-01T01:00:00+01:00</updated>
    <link href="/services" rel="alternate"/>
</entry>
<entry>
    <title>servicesNS</title>

    <updated>1970-01-01T01:00:00+01:00</updated>
    <link href="/servicesNS" rel="alternate"/>
</entry>
<entry>
    <title>static</title>

    <updated>1970-01-01T01:00:00+01:00</updated>
    <link href="/static" rel="alternate"/>
</entry>
</feed>
* Connection #0 to host host left intact

For security reasons some fields have been removed/changed.

Re: SSL Configuration Error

isoutamo — Fri, 10 Jan 2025 11:24:30 GMT

How about those configuration files?
This was connection to management port like 8089?
Are you trying to use self signed certificates for all needed ports (web, mgmt, s2s etc.)?

Re: SSL Configuration Error

BRFZ — Tue, 21 Jan 2025 15:01:26 GMT

Hello,

The configuration files contain the following:

[sslConfig] enableSplunkdSSL = true sslPassword = value sslRootCAPath = /path/to/ca/cert serverCert = /path/to/srv/cert caTrustStore = splunk caTrustStorePath = path/to/trust/ca caPath = path/to/trust/c caCertFile = path/to./ca

Yes, the connection was to the management port.

The self-signed certificate was only for the web interface (and I have no issues regarding that).

However, the problem lies between the components of the architecture.

Re: SSL Configuration Error

PickleRick — Tue, 21 Jan 2025 13:23:17 GMT

Check the logs on the receiving end (the server you're connecting to). You can dump the traffic and check if the TLS negotiation is happening properly but I suspect it does up to a point when you're getting refused by the receiving end. But the question is why and that should be in your splunkd.log.