Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to resolve "ssl23_get_client_hello unknown protocol" error on indexer and "TcpOutputFd Read error" on forwarder?

splunkreal
Influencer
‎11-25-2016 01:53 AM

Hello guys,

I'm using this on deployment-apps (universal forwarder deployment) :

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = indexer:9997

[tcpout-server://indexer:9997]
sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem
sslVerifyServerCert = false

I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?

If I use the correct cacert pass, I get ssl23_get_client_hello unknown protocol on indexer and TcpOutputFd Read error on forwarder.

Thanks for your clarification.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-25-2016 04:48 AM

Hi realsplunk,
sorry for this detail:
the steps you have to do are:

  • insert correct password in inputs.conf (verify where is the inputs.conf file where there is sslPassword: $SPLUNK_HOME/etc/system/local) on your indexers;
  • restart indexers, password will be encrypted
  • insert correct password in inputs.conf in your TA (in local directory);
  • restart forwarder, password will be encrypted

If you insert outputs.conf in default directory, password will be encrypted in local directory and not encripted in default directory.
Bye.
Giuseppe

0 Karma
Reply

splunkreal
Influencer
‎11-28-2016 07:31 AM

So why at http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Outputsconf we have :

sslPassword =
The password associated with the CAcert.
The default Splunk CAcert uses the password "password".
There is no default value.*

Thanks a lot!

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...