Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on indexer?

Haleb
Path Finder
‎05-24-2024 01:33 AM

After configuring my indexer and forwarder to use SSL I receive the following error:

Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

output.conf on  forwarder:

[tcpout:group1]
server = INDEXER_IP:9998
disabled = 0
sslVerifyServerCert = true
useClientSSLCompression = true

inputs.conf on indexer:

[splunktcp-ssl:9998]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem
requireClientCert = false

output of openssl s_client -connect INDEXER_IP:9998

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C
    Session-ID-ctx: 
    Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80   .7......n...1.?.
    0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c   ...G...3I*.....,
    0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd   .N.#.N.. .p...}.
    0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e   i....7Q.G..#.Q.N
    0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39   .Y.....#.dai...9
    0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54   y...\.(2.*..PA.T
    0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77   Z.mS...4...P..,w
    0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67   ..5......#9....g
    0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0   q.Nz...6Y...~.6.
    0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de   ^.nO..Gv.8..&.P.

    Start Time: 1716539462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

 

Labels (4)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

deepakc
Builder
‎05-28-2024 01:44 AM

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

View solution in original post

Reply
Solved! Jump to solution
Solution

deepakc
Builder
‎05-28-2024 01:44 AM

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...