How to resolve SSL error with tcp-ssl input?

roberteves — Wed, 11 Jan 2023 16:10:27 GMT

I have a Splunk server which is receiving data on a tcp-ssl port successfully for a particular application (SecureCircle). I'm trying to set up a new port to receive data from Palo Alto firewalls but it's running into an the following error:

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'

I'm using the same certificate an SSL configuration for both ports so I know that the cert is fine. It's not a self singed cert. It's valid until 2022.

I've been looking through some old posts with similar errors but none of them seemed to match my issue. Below is my Port and SSL configuration from the btool inputs command

/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf requireClientCert = false /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf serverCert = /opt/splunk/etc/auth/splunkhost.mydomain.com/splunkhost.mydomain.com.pem /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sslPassword = [Redacted] /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sslVersions = tls1.2

/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf [tcp-ssl://6514] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf index = pan_logs /opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf sourcetype = pan:log

The configuration for the working port is:

/opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf [tcp-ssl://8443] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/local/inputs.conf host = splunkhost.mydomain.com /opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf index = dlp /opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf sourcetype = SecureCircle

Re: SSL error with tcp-ssl input

FlorianScho — Wed, 11 Jan 2023 08:31:39 GMT

Hi,

having the exact same issue. Were you able to fix it?

Re: SSL error with tcp-ssl input

kdulle — Thu, 23 Mar 2023 19:22:26 GMT

Ditto here.

I hammered on it for about a day, and finally just went back to udp.

I may just have to configure a vpn tunnel to send it through as a work around, sad.

topic How to resolve SSL error with tcp-ssl input? in Getting Data In

How to resolve SSL error with tcp-ssl input?

Re: SSL error with tcp-ssl input

Re: SSL error with tcp-ssl input