Solved: How to resolve "SSL23_GET_CLIENT_HELLO:unknown pro...

Haleb · ‎05-24-2024

After configuring my indexer and forwarder to use SSL I receive the following error:

Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

output.conf on forwarder:

[tcpout:group1]
server = INDEXER_IP:9998
disabled = 0
sslVerifyServerCert = true
useClientSSLCompression = true

inputs.conf on indexer:

[splunktcp-ssl:9998]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem
requireClientCert = false

output of openssl s_client -connect INDEXER_IP:9998

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C
    Session-ID-ctx: 
    Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80   .7......n...1.?.
    0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c   ...G...3I*.....,
    0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd   .N.#.N.. .p...}.
    0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e   i....7Q.G..#.Q.N
    0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39   .Y.....#.dai...9
    0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54   y...\.(2.*..PA.T
    0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77   Z.mS...4...P..,w
    0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67   ..5......#9....g
    0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0   q.Nz...6Y...~.6.
    0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de   ^.nO..Gv.8..&.P.

    Start Time: 1716539462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

deepakc · ‎05-28-2024

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths.

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

View solution in original post

deepakc · ‎05-28-2024

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths.

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

How to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on indexer?

indexer

inputs.conf

Linux

universal forwarder

Customer Experience | Splunk 2024: New Onboarding Resources

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...