Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I receive SSL alert number 40 with selfsigned certificates?

ortiz
Explorer
‎01-25-2023 04:01 AM

Dear all,

We are on process of ingesting Check Point EDR logs in our Splunk Cloud Platform. This should be done through a Heavy Forwarder. Checkpoint sends encrypted data to HFW.

For that purpose, we used the following guide provided by CheckPoint for generating and configure the certificates which contains specific instructions for Splunk:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As summary, there are two certificates that needs to be configured on the Splunk side: 

- splunk.pem It is a combination of SyslogServer.crt + SyslogServer.key + RootCa.pem configured in /opt/splunk/etc/apps/CheckPointAPP/local/inputs.conf
- ca.pem configured in /opt/splunk/etc/system/local/server.conf

This configuration is not working because the certificate splunk.pem is giving a handshake error "SSL alert number 40".


The following setting in server.conf as the CheckPoint guide specifies, returns an error in Splunk: "Invalid key in stanza [SSL]".

 

 

[SSL]
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

 


We also have tried with this configuration with the same result:

 

 

[SSL] cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-SHA:AES128-SHA

 

 

In Splunk internal wereceive the following error:

 

Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.

 



Do you know which could be the point of failure? Why the certificate is returning an error 40 or if the configuration should be set in a different way?

Best regards

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...