Getting Data In

How to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on indexer?

Haleb
Path Finder

After configuring my indexer and forwarder to use SSL I receive the following error:

Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

output.conf on  forwarder:

[tcpout:group1]
server = INDEXER_IP:9998
disabled = 0
sslVerifyServerCert = true
useClientSSLCompression = true

inputs.conf on indexer:

[splunktcp-ssl:9998]
disabled = 0
connection_host = ip

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem
requireClientCert = false

output of openssl s_client -connect INDEXER_IP:9998

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C
    Session-ID-ctx: 
    Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80   .7......n...1.?.
    0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c   ...G...3I*.....,
    0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd   .N.#.N.. .p...}.
    0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e   i....7Q.G..#.Q.N
    0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39   .Y.....#.dai...9
    0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54   y...\.(2.*..PA.T
    0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77   Z.mS...4...P..,w
    0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67   ..5......#9....g
    0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0   q.Nz...6Y...~.6.
    0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de   ^.nO..Gv.8..&.P.

    Start Time: 1716539462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

 

Labels (4)
Tags (3)
0 Karma
1 Solution

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

View solution in original post

deepakc
Builder

Sounds like you need certs on the UF

You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. 

Example config

outputs.conf

clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE>

server.conf

[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem

  

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...