topic Re: Splunk serving wrong certificate on tcp-ssl input in Getting Data In

Splunk serving wrong certificate on tcp-ssl input

konstr — Mon, 01 Feb 2021 13:13:36 GMT

I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.

The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading.

My inputs.conf is as follows.

[tcp-ssl:10515] sourcetype = source1 index = index1 disabled = 0 serverCert = /path to servercert2 sslRootCAPath = /path to rootCA cert [tcp-ssl:10516] sourcetype = source2 index = index2 disabled = 0 [tcp-ssl:10517] sourcetype = source3 index = index3 disabled = 0 [SSL] requireClientCert= false serverCert = /path to servercert1 sslRootCAPath = /path to rootCA cert

Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local directory but no luck.

No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets).

According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.

[tcp-ssl:<port>] * Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system. * Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data. * To create multiple SSL inputs, you can add the following attributes to each [tcp-ssl:<port>] input stanza. If you do not configure a certificate in the port, the certificate information is pulled from the default [SSL] stanza: * serverCert = <path_to_cert> * sslRootCAPath = <path_to_cert> This attribute should only be added if you have not configured your sslRootPath in server.conf. * sslPassword = <password>

I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.

Any ideas?

Re: Splunk serving wrong certificate on tcp-ssl input

konstr — Mon, 08 Feb 2021 12:26:44 GMT

I am still looking for an answer on this. Not sure why this is not working as stated in Splunk docs.

Re: Splunk serving wrong certificate on tcp-ssl input

BenjaminKTH — Fri, 19 Mar 2021 11:41:29 GMT

I facing the exact same problem...

Re: Splunk serving wrong certificate on tcp-ssl input

harsmarvania57 — Mon, 22 Mar 2021 12:54:36 GMT

As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?

Re: Splunk serving wrong certificate on tcp-ssl input

konstr — Mon, 22 Mar 2021 12:56:59 GMT

Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.

Re: Splunk serving wrong certificate on tcp-ssl input

harsmarvania57 — Mon, 22 Mar 2021 14:03:45 GMT

Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.

In inputs.conf

[tcp-ssl:10515]
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem

In server.conf

[sslConfig]

sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem

Re: Splunk serving wrong certificate on tcp-ssl input

harsmarvania57 — Fri, 16 Apr 2021 09:34:00 GMT

Looks like this issue is fixed in Splunk 8.0.9

2021-02-09 SPL-199494, SPL-198714 tcp-ssl input stanza individual ssl certificates not working as documented