Hello guys,

I'm using this on deployment-apps (universal forwarder deployment) :

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = indexer:9997

[tcpout-server://indexer:9997]
sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem
sslVerifyServerCert = false

I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?

If I use the correct cacert pass, I get ssl23_get_client_hello unknown protocol on indexer and TcpOutputFd Read error on forwarder.

Thanks for your clarification.