Security

Forwarder SSL compression don't work

Viaris
New Member

Hi Splunkers!

i'm trying to configure SSL compression beetween Forwarders & Indexers with default cert but the compression seem doesn't working.
On Indexer splunkd.log the flag useCompression is set to N --> useCompression=N and don't write the line "INFO TcpInputProc - Port 9998 is compressed" (based on https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Validateyourconfiguration):

07-16-2019 12:18:06.615 +0200 DEBUG TcpInputConfig - stanza="SSL", rootCAPath="C:\Program Files\Splunk\etc\auth\cacert.pem", certFile="C:\Program Files\Splunk\etc\auth\server.pem", privateKeyFile="C:\Program Files\Splunk\etc\auth\server.pem", privateKeyPassword_set=Y, commonNameToCheck="", altNameToCheck="", allowSslRenegotiation=Y, sslVersions="SSL3,TLS1.0,TLS1.1,TLS1.2", cipherSuite="ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM", ecdhCurves="prime256v1, secp384r1, secp521r1", dhFile="", useCompression=N, quietShutdown=N
07-16-2019 12:18:06.625 +0200 DEBUG TcpInputConfig - Attempting to load token cache
07-16-2019 12:18:06.625 +0200 INFO TcpInputConfig - IPv4 port 9998 is reserved for splunk 2 splunk (SSL)
07-16-2019 12:18:06.625 +0200 INFO TcpInputConfig - IPv4 port 9998 will negotiate s2s protocol level 4
07-16-2019 12:18:06.626 +0200 DEBUG TcpInputConfig - global prop rdnsMaxDutyCycle=10

Any idea on what to check?

Thanks

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...