Solved: Re: Why is curl search giving an error after upgra... - Splunk Community

Security

Hi,
After upgrade splunk to 7.2.4 one curl search that was working perfectly in version 6.5.3 doesn't work anymore.
The result is
curl: (35) TCP connection reset by peer

I have try using -k in the call, also indicate the ssl version --tlsv1.2 also update openssl. But none of them have solved the problem.

Any idea how to solve this problem. The thing is that even a simple query return the same message.

thanks in advance

1 Solution

Solution

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

View solution in original post

Solution

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

Is curl and nss up to date?

https://serverfault.com/questions/606135/curl-35-ssl-connect-error
https://support.plesk.com/hc/en-us/articles/360006345633-Unable-to-connect-to-a-website-over-HTTPS-u...

If my comment helps, please give it a thumbs up!

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

But still have the same problem

Try curl -k -v https://localhost:8089 and post the top of the response (remove anything sensitive)

If my comment helps, please give it a thumbs up!

CONNECT localhost:8089 HTTP/1.1
Host: localhost:8089
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established <
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0 curl: (35) TCP connection reset by peer

That looks very much like a firewall or something is dumping the connection.
Any chance you have a local FW?

If my comment helps, please give it a thumbs up!

The firewall is disabled

systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

Wait - cant believe i missed this:
can you run echo $https_proxy
and maybe echo $http_proxy

If my comment helps, please give it a thumbs up!

echo $https_proxy
http://x.x.x.x:8080/

echo $http_proxy
http://x.x.x.x:8080/

Are you performing this curl from Splunk to a remote webservice, or from another system to Splunk?
It might help if you can post the full curl statement (remove anything sensitive)

If my comment helps, please give it a thumbs up!

curl -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv https://localhost:8089/servicesNS/admin/xxxxxxx/search/jobs/export

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with another ...