Hi Splunkers,
My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade.
I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'.
Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers?
Thank you!
You have to disable the SSLv3 Support on the Forwarder in the local/server.conf
.
[sslConfig]
sslKeysfilePassword = <your_password>
sslVersions=*,-ssl2,-ssl3
cipherSuite = TLSv1.2:!eNULL:!aNULL
Then it should work again.
Points for upgrading a test forwarder first!