Installation

SSL error after upgrading from 6.6.1 to 6.6.2

Communicator

Hi,

I am running Splunk Free on a Ubuntu 17.04 box. I have just upgraded Splunk from 6.6.1 to 6.6.2 via the deb package.

Now when I try and start Splunk the web interface never becomes available. And I get the following output:
Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................
WARNING: web interface does not seem to be available!

Splunkd.log gives the following message several times over:
WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Could anyone please help me with this? I've gone through server.conf but there seems to be a lot of different SSL settings and I'm not sure which to modify (if any) and to what. I've also gone through repositories and there's nothing blindingly obvious there to upgrade my SSl.

Thanks in advance.

Labels (2)
0 Karma

Path Finder

Check forwarder version. It is due to higher version of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

0 Karma

Contributor

I downvoted this post because wrong information

0 Karma

Communicator

I downvoted this post because that's just wrong. although this message reads as there's no doubt about its truth.
Have a look at https://docs.splunk.com/documentation/forwarder/7.3.0/forwarder/compatibilitybetweenforwardersandind... - there's no such constraint as you write.
And it's clearly stated in the message that this message do belong to ssl.

0 Karma

New Member

I agree. I am running on version 7.31 on forwarder and indexers, sh, ds, lm etc.

0 Karma

Path Finder

Check forwarder version. It is due to higher vesrion of forwarders.

Fix forwarder version, it must be equal of lower than indexers splunk.

It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.

SplunkTrust
SplunkTrust

The log message implies that something is attempting to communicate with your server via SSLv3 however Splunk 6.6.x defaults to TLS 1.0 and above from memory (you can confirm with btool)

The mentioned config from the Splunk 6.6.3 release notes known issues page for server.conf:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

If you have older forwarders you might also need to update the inputs.conf:

[SSL]
sslVersions = *,-ssl2
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Note that both of the above will allow SSLv3 and the cipher suite is also changed, you should only do this if you need to as it changes your SSL settings to be less secure.

Engager

I have the same problem here. Would be nice to have a solution.

0 Karma

Engager

I have the same problem here. Would be nice to have a solution.

0 Karma

Communicator

Hi Deepdive,

Unfortunately I have not been able to find a solution to the issue. I have worked around this by creating a new Splunk 6.6.1 installation and copying the indexes across and configurations across.

I have not yet attempted to upgrade to 6.6.2 again.

0 Karma

Contributor

I guess having your two comments here, along with the same issue in my environment, we can consider this as a Splunk bug?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!