Re: SSL error after upgrading from 6.6.1 to 6.6.2

hhGA · ‎07-02-2017

Hi,

I am running Splunk Free on a Ubuntu 17.04 box. I have just upgraded Splunk from 6.6.1 to 6.6.2 via the deb package.

Now when I try and start Splunk the web interface never becomes available. And I get the following output:
Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................ WARNING: web interface does not seem to be available!

Splunkd.log gives the following message several times over:
WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Could anyone please help me with this? I've gone through server.conf but there seems to be a lot of different SSL settings and I'm not sure which to modify (if any) and to what. I've also gone through repositories and there's nothing blindingly obvious there to upgrade my SSl.

Thanks in advance.

afroz · ‎07-23-2018

Check forwarder version. It is due to higher version of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

akocak · ‎08-21-2019

I downvoted this post because wrong information

rvany · ‎06-21-2019

I downvoted this post because that's just wrong. although this message reads as there's no doubt about its truth.
Have a look at https://docs.splunk.com/documentation/forwarder/7.3.0/forwarder/compatibilitybetweenforwardersandind... - there's no such constraint as you write.
And it's clearly stated in the message that this message do belong to ssl.

kg_bdmeyer · ‎08-21-2019

I agree. I am running on version 7.31 on forwarder and indexers, sh, ds, lm etc.

afroz · ‎07-23-2018

Check forwarder version. It is due to higher vesrion of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

gjanders · ‎08-27-2017

The log message implies that something is attempting to communicate with your server via SSLv3 however Splunk 6.6.x defaults to TLS 1.0 and above from memory (you can confirm with btool)

The mentioned config from the Splunk 6.6.3 release notes known issues page for server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

If you have older forwarders you might also need to update the inputs.conf:

[SSL]
sslVersions = *,-ssl2
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Note that both of the above will allow SSLv3 and the cipher suite is also changed, you should only do this if you need to as it changes your SSL settings to be less secure.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Deepdive · ‎07-18-2017

I have the same problem here. Would be nice to have a solution.

Deepdive · ‎07-18-2017

I have the same problem here. Would be nice to have a solution.

hhGA · ‎07-24-2017

Hi Deepdive,

Unfortunately I have not been able to find a solution to the issue. I have worked around this by creating a new Splunk 6.6.1 installation and copying the indexes across and configurations across.

I have not yet attempted to upgrade to 6.6.2 again.

akocak · ‎08-26-2017

I guess having your two comments here, along with the same issue in my environment, we can consider this as a Splunk bug?

SSL error after upgrading from 6.6.1 to 6.6.2

splunkd

upgrade

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!