topic Re: How to configure SSL/TLS for forwarding in Installation

How to configure SSL/TLS for forwarding

Haleb — Wed, 22 May 2024 11:55:48 GMT

I tried to configure SSL/TSL connection between Forwarder and Indexer.

On forwarder /opt/splunkforwarder/etc/system/local/output.conf:

[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] disabled = false server = my.domain.com:9998 disabled = 0 clientCert = /opt/splunk/etc/auth/mycerts/client.pem useClientSSLCompression = true [tcpout-server://my.domain.com:9998]

Certificate has been created by Certbot and prepared according to the instructions. Works well for Splunk Web and I believe it works here too.
On indexer /opt/splunk/etc/system/local/inputs.conf

[splunktcp-ssl:9998] disabled=0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/test_full.pem

test_full.pem - prepared certificate from Certbot.
If I use forwarder without certificates everything works fine so there is no connection errors.
Output of splunk list forward-server

Configured but inactive forwards: my.domain.com:9998

From /var/log/splunk/splunkd.log I can see the following error:

05-22-2024 11:51:03.823 +0000 ERROR TcpOutputFd [29087 TcpOutEloop] - Read error. Connection reset by peer 05-22-2024 11:51:03.823 +0000 WARN AutoLoadBalancedConnectionStrategy [29087 TcpOutEloop] - Applying quarantine to ip=99.99.99.99 port=9998 connid=2 _numberOfFailures=2

Could you please help me debug the problem?

Re: How to configure SSL/TLS for forwarding

gcusello — Wed, 22 May 2024 12:35:25 GMT

Hi @Haleb,

did you followed all the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates#:~:text=You%20can%20use%20transport%20layer,create%20and%20sign%20them%20yourself. ?

Ciao.

Giuseppe

Re: How to configure SSL/TLS for forwarding

Haleb — Wed, 22 May 2024 12:37:17 GMT

Hi, @gcusello
Yes, i did

Re: How to configure SSL/TLS for forwarding

gcusello — Wed, 22 May 2024 12:41:28 GMT

Hi @Haleb ,

it seems to be different that your: some options are missed.

Ciao.

Giuseppe

Re: How to configure SSL/TLS for forwarding

Haleb — Wed, 22 May 2024 12:47:19 GMT

@gcusello
As i can see some of them are optional

Re: How to configure SSL/TLS for forwarding

gcusello — Wed, 22 May 2024 13:01:45 GMT

Hi @Haleb,

not all of them, e.g. password that must be the same both on Indexers and on Forwarders.

Follow the configuration in the url.

Ciao.

Giuseppe

Re: How to configure SSL/TLS for forwarding

Haleb — Wed, 22 May 2024 13:12:13 GMT

Can clearify about what password are you talking about? Link that you send to me have only sslPassword field that should be used only if i use password for my certificate.

Re: How to configure SSL/TLS for forwarding

gcusello — Wed, 22 May 2024 13:13:20 GMT

Hi @Haleb,

exactly: use password for your certificate!

Ciao.

Giuseppe

Re: How to configure SSL/TLS for forwarding

Haleb — Thu, 23 May 2024 08:43:05 GMT

I tried to create a new certificate with password and still have the same error as previous:

Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol