Installation

SSL error after upgrading from 6.6.1 to 6.6.2

hhGA
Communicator

Hi,

I am running Splunk Free on a Ubuntu 17.04 box. I have just upgraded Splunk from 6.6.1 to 6.6.2 via the deb package.

Now when I try and start Splunk the web interface never becomes available. And I get the following output:
Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................
WARNING: web interface does not seem to be available!

Splunkd.log gives the following message several times over:
WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Could anyone please help me with this? I've gone through server.conf but there seems to be a lot of different SSL settings and I'm not sure which to modify (if any) and to what. I've also gone through repositories and there's nothing blindingly obvious there to upgrade my SSl.

Thanks in advance.

Labels (2)
0 Karma

afroz
Path Finder

Check forwarder version. It is due to higher version of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

0 Karma

akocak
Contributor

I downvoted this post because wrong information

0 Karma

rvany
Communicator

I downvoted this post because that's just wrong. although this message reads as there's no doubt about its truth.
Have a look at https://docs.splunk.com/documentation/forwarder/7.3.0/forwarder/compatibilitybetweenforwardersandind... - there's no such constraint as you write.
And it's clearly stated in the message that this message do belong to ssl.

0 Karma

kg_bdmeyer
New Member

I agree. I am running on version 7.31 on forwarder and indexers, sh, ds, lm etc.

0 Karma

afroz
Path Finder

Check forwarder version. It is due to higher vesrion of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

gjanders
SplunkTrust
SplunkTrust

The log message implies that something is attempting to communicate with your server via SSLv3 however Splunk 6.6.x defaults to TLS 1.0 and above from memory (you can confirm with btool)

The mentioned config from the Splunk 6.6.3 release notes known issues page for server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

If you have older forwarders you might also need to update the inputs.conf:

[SSL]
sslVersions = *,-ssl2
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Note that both of the above will allow SSLv3 and the cipher suite is also changed, you should only do this if you need to as it changes your SSL settings to be less secure.

Deepdive
Engager

I have the same problem here. Would be nice to have a solution.

0 Karma

Deepdive
Engager

I have the same problem here. Would be nice to have a solution.

0 Karma

hhGA
Communicator

Hi Deepdive,

Unfortunately I have not been able to find a solution to the issue. I have worked around this by creating a new Splunk 6.6.1 installation and copying the indexes across and configurations across.

I have not yet attempted to upgrade to 6.6.2 again.

0 Karma

akocak
Contributor

I guess having your two comments here, along with the same issue in my environment, we can consider this as a Splunk bug?

0 Karma