All Apps and Add-ons

Splunk stream for HTTPS on IIS - cannot decrypt ephemeral session

Contributor

We are trying to use Splunk stream on a webserver with IIS, using https based site.

Web server is listening on port 8443. DiffieHelman is disabled on that IIS server.

We ran the following:

  1. Install universal forwarder on IIS server
  2. Install Splunk_Stream_TA on the uf
  3. Install the private key on streamfwd
  4. Configure from Stream UI on the search head to capture the following:

HTTP src_port 8443 OR dest_port 8443
TCP src_port 8443 OR dest_port 8443

  1. Restart splunkfwd

As a results we do not get HTTP events, just TCP events with unreadable content.
We also see in streamfwd.log the following:

stream.SSL - SSL decryption error (cannot decrypt ephemeral session)
stream.packetProcessor - SSL record decryption error (corrupted data?) (ssl) [c=10.0.0.1:45674,s=10.0.0.2:8443]

To investiage and eliminiate networking and promiscous mode issues. we used the openssl guide to simulate the same scenario without IIS:
https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/

Using openssl as a webserver on the same UF, Stream was able to successfuly decrypt the data.
We received both TCP and HTTP events.

Any idea what could be the issue?

Tags (2)
0 Karma