Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- SA-ldapsearch error SSL configuration issue: sslVe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SA-ldapsearch error SSL configuration issue: sslVersions=""['tls1.2']"" is an invalid combination
This is the only error that I get, no further information, and so far i haven't been able to run the python from the cli to see if I can get any more information. I have pinned splunkweb to TLS1.2 for quite a while, have had no other issues. My ldap authentication for splunkweb is functioning fine. I don't see this error on answers, and I am confused.
I had suspected that this was a Cert issue, but after doing a lot of checking, I believe it is an issue with the SA-ldapsearch configs.
It appears that even though server.conf understands "tls1.2" as an sslVersion= value for the sslConfig stanza, SA-ldapsearch does NOT. I changed, in $SPLUNK_HOME/etc/apps/SA-ldapsearch/local/ssl.conf to have:
[sslConfig]
sslVersions=tls
and everthing is working. I would like to request an enhancement to SA-ldapsearch such that it understands the sslVersion string of tls1.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you edit SA-ldapsearch/bin/packages/app/configuration.py you can fix the error:
Lines 291-292:
291 elif not protocol_set.symmetric_difference(('tls1.0',)):
292 version = ssl.PROTOCOL_TLSv1
append the following (do not include the line numbers):
293 elif not protocol_set.symmetric_difference(('tls1.2',)):
294 version = ssl.PROTOCOL_TLSv1
For completeness you might want to add a test for tls1.1, this doesn't apply in my case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you edit SA-ldapsearch/bin/packages/app/configuration.py you can fix the error:
Lines 291-292:
291 elif not protocol_set.symmetric_difference(('tls1.0',)):
292 version = ssl.PROTOCOL_TLSv1
append the following (do not include the line numbers):
293 elif not protocol_set.symmetric_difference(('tls1.2',)):
294 version = ssl.PROTOCOL_TLSv1
For completeness you might want to add a test for tls1.1, this doesn't apply in my case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for that tip, James. I will deploy and verify that gets rid of the error I was having.
Aligning Observability Costs with Business Value: Practical Strategies
Mastering Data Pipelines: Unlocking Value with Splunk
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
