Getting Data In

How to resolve SSL error with tcp-ssl input?


I have a Splunk server which is receiving data on a tcp-ssl port successfully for a particular application (SecureCircle). I'm trying to set up a new port to receive data from Palo Alto firewalls but it's running into an the following error:




WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'




I'm using the same certificate an SSL configuration for both ports so I know that the cert is fine. It's not a self singed cert. It's valid until 2022.

I've been looking through some old posts with similar errors but none of them seemed to match my issue.  Below is my Port and SSL configuration from the btool inputs command




/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              [SSL]
/opt/splunk/etc/system/default/inputs.conf                             _rcvbuf = 1572864
/opt/splunk/etc/system/default/inputs.conf                             allowSslRenegotiation = true
/opt/splunk/etc/system/default/inputs.conf                             cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
/opt/splunk/etc/system/default/inputs.conf                             ecdhCurves = prime256v1, secp384r1, secp521r1
/opt/splunk/etc/system/local/inputs.conf                               host =
/opt/splunk/etc/system/default/inputs.conf                             index = default
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              requireClientCert = false
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              serverCert = /opt/splunk/etc/auth/
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              sslPassword = [Redacted]
/opt/splunk/etc/system/default/inputs.conf                             sslQuietShutdown = false
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              sslVersions = tls1.2
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              [tcp-ssl://6514]
/opt/splunk/etc/system/default/inputs.conf                             _rcvbuf = 1572864
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              host =
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              index = pan_logs
/opt/splunk/etc/apps/Splunk_TA_paloalto/local/inputs.conf              sourcetype = pan:log




The configuration for the working port is:




/opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf             [tcp-ssl://8443]
/opt/splunk/etc/system/default/inputs.conf                             _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf                               host =
/opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf             index = dlp
/opt/splunk/etc/apps/ahs_ta_securecircle/local/inputs.conf             sourcetype = SecureCircle




Labels (1)
0 Karma



having the exact same issue. Were you able to fix it?

0 Karma


Ditto here.

I hammered on it for about a day, and finally just went back to udp.

I may just have to configure a vpn tunnel to send it through as a work around, sad.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...