Re: Splunk serving wrong certificate on tcp-ssl in...

konstr · ‎02-01-2021

I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.

The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading.

My inputs.conf is as follows.

[tcp-ssl:10515]
sourcetype = source1
index = index1
disabled = 0
serverCert = /path to servercert2
sslRootCAPath = /path to rootCA cert

[tcp-ssl:10516]
sourcetype = source2
index = index2
disabled = 0

[tcp-ssl:10517]
sourcetype = source3
index = index3
disabled = 0

[SSL]
requireClientCert= false
serverCert = /path to servercert1
sslRootCAPath = /path to rootCA cert

Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local directory but no luck.

No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets).

According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a
  forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending
  unparsed, encrypted data.
* To create multiple SSL inputs, you can add the following attributes to each
[tcp-ssl:<port>] input stanza. If you do not configure a certificate in the
port, the certificate information is pulled from the default [SSL] stanza:
  * serverCert = <path_to_cert>
  * sslRootCAPath = <path_to_cert> This attribute should only be added
    if you have not configured your sslRootPath in server.conf.
  * sslPassword = <password>

I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.

Any ideas?

harsmarvania57 · ‎04-16-2021

Looks like this issue is fixed in Splunk 8.0.9

2021-02-09 	SPL-199494, SPL-198714 	tcp-ssl input stanza individual ssl certificates not working as documented

harsmarvania57 · ‎03-22-2021

As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?

konstr · ‎03-22-2021

Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.

harsmarvania57 · ‎03-22-2021

Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.

In inputs.conf

[tcp-ssl:10515]
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem

In server.conf

[sslConfig]

sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem

konstr · ‎02-08-2021

I am still looking for an answer on this. Not sure why this is not working as stated in Splunk docs.

BenjaminKTH · ‎03-19-2021

I facing the exact same problem...

Splunk serving wrong certificate on tcp-ssl input

heavy forwarder

inputs.conf

syslog

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor