All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SA-ldapsearch error SSL configuration issue: sslVersions=""['tls1.2']"" is an invalid combination

jgoddard
Path Finder
‎09-11-2015 03:20 PM

This is the only error that I get, no further information, and so far i haven't been able to run the python from the cli to see if I can get any more information. I have pinned splunkweb to TLS1.2 for quite a while, have had no other issues. My ldap authentication for splunkweb is functioning fine. I don't see this error on answers, and I am confused.

I had suspected that this was a Cert issue, but after doing a lot of checking, I believe it is an issue with the SA-ldapsearch configs.

It appears that even though server.conf understands "tls1.2" as an sslVersion= value for the sslConfig stanza, SA-ldapsearch does NOT. I changed, in $SPLUNK_HOME/etc/apps/SA-ldapsearch/local/ssl.conf to have:
[sslConfig]
sslVersions=tls

and everthing is working. I would like to request an enhancement to SA-ldapsearch such that it understands the sslVersion string of tls1.2

Reply

jamesarmitage
Path Finder
‎11-30-2015 02:39 PM

If you edit SA-ldapsearch/bin/packages/app/configuration.py you can fix the error:

Lines 291-292:

 291         elif not protocol_set.symmetric_difference(('tls1.0',)):
 292             version = ssl.PROTOCOL_TLSv1

append the following (do not include the line numbers):

 293         elif not protocol_set.symmetric_difference(('tls1.2',)):
 294             version = ssl.PROTOCOL_TLSv1

For completeness you might want to add a test for tls1.1, this doesn't apply in my case.

Reply

jamesarmitage
Path Finder
‎09-17-2015 10:31 AM

If you edit SA-ldapsearch/bin/packages/app/configuration.py you can fix the error:

Lines 291-292:

291         elif not protocol_set.symmetric_difference(('tls1.0',)):
292             version = ssl.PROTOCOL_TLSv1

append the following (do not include the line numbers):

293         elif not protocol_set.symmetric_difference(('tls1.2',)):
294             version = ssl.PROTOCOL_TLSv1

For completeness you might want to add a test for tls1.1, this doesn't apply in my case.

Reply

jgoddard
Path Finder
‎09-17-2015 10:37 AM

Thanks a lot for that tip, James. I will deploy and verify that gets rid of the error I was having.

0 Karma
Reply
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...