Getting Data In

Splunk serving wrong certificate on tcp-ssl input

konstr
Path Finder

I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.

The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading. 

My inputs.conf is as follows.

 

[tcp-ssl:10515]
sourcetype = source1
index = index1
disabled = 0
serverCert = /path to servercert2
sslRootCAPath = /path to rootCA cert

[tcp-ssl:10516]
sourcetype = source2
index = index2
disabled = 0

[tcp-ssl:10517]
sourcetype = source3
index = index3
disabled = 0

[SSL]
requireClientCert= false
serverCert = /path to servercert1
sslRootCAPath = /path to rootCA cert

 

 

Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local  directory but no luck.

No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets). 

 

According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.

 

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a
  forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending
  unparsed, encrypted data.
* To create multiple SSL inputs, you can add the following attributes to each
[tcp-ssl:<port>] input stanza. If you do not configure a certificate in the
port, the certificate information is pulled from the default [SSL] stanza:
  * serverCert = <path_to_cert>
  * sslRootCAPath = <path_to_cert> This attribute should only be added
    if you have not configured your sslRootPath in server.conf.
  * sslPassword = <password>

 

 

I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.

 

Any ideas?

Labels (3)

harsmarvania57
SplunkTrust
SplunkTrust

Looks like this issue is fixed in Splunk 8.0.9

 

2021-02-09 	SPL-199494, SPL-198714 	tcp-ssl input stanza individual ssl certificates not working as documented 
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?

0 Karma

konstr
Path Finder

Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.

 

In inputs.conf

[tcp-ssl:10515]
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem

In server.conf

[sslConfig]

sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem

0 Karma

konstr
Path Finder

I am still looking for an answer on this. Not sure why this is not working as stated in Splunk docs.

0 Karma

BenjaminKTH
New Member

I facing the exact same problem...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!