All Apps and Add-ons

SSL: Why am I getting the following error after upgrading Splunk to version 7.2?

Hi,

I started to get the error below after my Splunk was updated:

HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

I thought was some 'garbage' from previous version, but even after running a fresh install, the logs still show the same problem. I found this error while troubleshooting an issue with Splunk Kafka connector which is no longer sending messages to Splunk.

I'm using this instance of Splunk for learning purposes. I upgraded from 6.5 to 7.0. Then a fresh installation was done using 7.2 with same issues.

To provide a more complete picture:
- Splunk was not initially set with SSL
- I was troubleshooting why my Kafka connect was having errors sending data to Splunk
- I noticed a few lines with the above message in the splunkd.log
- I had a Splunk forwarder working before but it was disabled 2 months ago, so it's clear some components talk to themselves using SSL even with the option disabled
- When I set Splunk to use SSL, instead of few messages on the log now I have hundreds of this message per minute
- Thanks for the link provided. With the changes suggested now i'm getting non-stop the following message:

HttpListener - Socket error from 127.0.0.1 while idling: error:1407609C:SSL routines:SSL23GETCLIENT_HELLO:http request

My concern is to understand which components are trying to talk using SSL so I can better isolate the issue. The information on the logs so far are not enough for me to have a clearer picture.

Saw a couple of discussions with similar error but couldn't find anything that could solve my problem.

Thanks.

SplunkTrust
SplunkTrust

@mauriciothomsen,
Which version you upgraded to ? There were few compatibility issues due to change in cipher suite and SSL versions. Have a look at this know issues and see if it helps
http://docs.splunk.com/Documentation/Splunk/6.6.0/ReleaseNotes/KnownIssues

0 Karma

Path Finder

@renjith.nair, We are having the same problem and getting the same HttpListener error message as above.

We are on 7.1.2, I am trying to secure my Splunk Web using 3rd party certificate. Enabled SSL, privKeyPath and serverCert in web.conf as suggested in docs.

I see this error as well : "[initandlisten] ** WARNING: No SSL certificate validation can be performed since no CA file has been provided "

Do I need to provide caCertPath in server.conf to avoid this error?

Thanks,
Sandeep

0 Karma

I'm using this instance of Splunk for learning purposes. I upgraded from 6.5 to 7.0. Then a fresh installation was done using 7.2 with same issues.

To provide a more complete picture:
- Splunk was not initially set with SSL
- I was troubleshooting why my kafka connect was having errors sending data to Splunk
- I noticed a few lines with the above message in the splunkd.log
- I had a Splunk forwarder working before but it was disabled 2 months ago, so it's clear some components talk to themselves using SSL even with the option disabled
- When I set Splunk to use SSL, instead of few messages on the log now I have hundreds of this message per minute
- Thanks for the link provided. With the changes suggested now i'm getting non-stop the following message:

HttpListener - Socket error from 127.0.0.1 while idling: error:1407609C:SSL routines:SSL23GETCLIENT_HELLO:http request

My concern is to understand which components are trying to talk using SSL so I can better isolate the issue. The information on the logs so far are not enough for me to have a clearer picture.

0 Karma

Splunk Employee
Splunk Employee

Hi @mauriciothomsen,

I added this comment to your above question, which will make it more visible to our community. Thanks for posting!

0 Karma