Getting Data In

How to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on indexer?

Haleb
Path Finder

After configuring my indexer and forwarder to use SSL I receive the following error:

Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

output.conf on  forwarder:

[tcpout:group1]
server = INDEXER_IP:9998
disabled = 0
sslVerifyServerCert = true
useClientSSLCompression = true

inputs.conf on indexer:

[splunktcp-ssl:9998]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem
requireClientCert = false

output of openssl s_client -connect INDEXER_IP:9998

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C
    Session-ID-ctx: 
    Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80   .7......n...1.?.
    0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c   ...G...3I*.....,
    0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd   .N.#.N.. .p...}.
    0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e   i....7Q.G..#.Q.N
    0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39   .Y.....#.dai...9
    0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54   y...\.(2.*..PA.T
    0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77   Z.mS...4...P..,w
    0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67   ..5......#9....g
    0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0   q.Nz...6Y...~.6.
    0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de   ^.nO..Gv.8..&.P.

    Start Time: 1716539462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

 

Labels (4)
Tags (3)
0 Karma
1 Solution

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

View solution in original post

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...