Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- SSL Error between an UF and a Heavy Forwarder with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a new UF (source) to send data to a HF (destination). Both are 7.0.5.
In the UF I have this error when I start it:
01-10-2019 11:57:57.163 +0100 ERROR TcpOutputFd - Read error. Connection reset by peer
My outputs.conf is this one:
[tcpout:to_prod_forwarder]
server=51.162.0.209:9995
useSSL = true
[SSL]
clientCert = /opt/splunkforwarder/etc/auth/server.pem
sslVersions = *
In the destination I have this error:
01-10-2019 10:57:57.196 +0000 ERROR TcpInputProc - Error encountered for connection from src=91.209.84.9:31318. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
My inputs.conf (I have other sources sending logs with SSL with no problem, I cannot touch this inputs.conf)
[splunktcp-ssl://:9995]
index = web
sourcetype = webserver
[SSL]
serverCert = /opt/splunk/etc/certs/shf.pem
requireClientCert = false
sslPassword = pass...
allowSslRenegotiation = false
I read that this error hapened between Splunk versions 6.x with 7.x, but not with the same versions.
In the UF i tried to exclude ssl versions... only enabling tls but with no luck...
sslVersions = tls1.1, tls1.2
Any idea what is happening?
Thank you very much in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The default of allowSslRenegotiation is true while your inputs.conf has false.
allowSslRenegotiation = false
According to SPEC, that would causes connectative issue.
allowSslRenegotiation = true|false
* In the SSL protocol, a client may request renegotiation of the connection
settings from time to time.
* Setting this to false causes the server to reject all renegotiation
attempts, which breaks the connection.
* This limits the amount of CPU a single TCP connection can use, but it can
cause connectivity problems, especially for long-lived connections.
* Defaults to true.
If this is not the case, kindly contact Splunk support and have the configuration and logs analyzed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The default of allowSslRenegotiation is true while your inputs.conf has false.
allowSslRenegotiation = false
According to SPEC, that would causes connectative issue.
allowSslRenegotiation = true|false
* In the SSL protocol, a client may request renegotiation of the connection
settings from time to time.
* Setting this to false causes the server to reject all renegotiation
attempts, which breaks the connection.
* This limits the amount of CPU a single TCP connection can use, but it can
cause connectivity problems, especially for long-lived connections.
* Defaults to true.
If this is not the case, kindly contact Splunk support and have the configuration and logs analyzed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you! I will try to change this config
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try putting your serverCert in $SPLUNK_HOME/etc/auth/ folder.
Also go through below link:
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
