Getting Data In

How to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on indexer?

Haleb
Path Finder

After configuring my indexer and forwarder to use SSL I receive the following error:

Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

output.conf on  forwarder:

[tcpout:group1]
server = INDEXER_IP:9998
disabled = 0
sslVerifyServerCert = true
useClientSSLCompression = true

inputs.conf on indexer:

[splunktcp-ssl:9998]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem
requireClientCert = false

output of openssl s_client -connect INDEXER_IP:9998

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C
    Session-ID-ctx: 
    Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80   .7......n...1.?.
    0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c   ...G...3I*.....,
    0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd   .N.#.N.. .p...}.
    0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e   i....7Q.G..#.Q.N
    0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39   .Y.....#.dai...9
    0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54   y...\.(2.*..PA.T
    0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77   Z.mS...4...P..,w
    0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67   ..5......#9....g
    0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0   q.Nz...6Y...~.6.
    0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de   ^.nO..Gv.8..&.P.

    Start Time: 1716539462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

 

Labels (4)
Tags (3)
0 Karma
1 Solution

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

View solution in original post

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...