Solved: Re: Why is curl search giving an error after upgra... - Splunk Community

Security

Hi,
After upgrade splunk to 7.2.4 one curl search that was working perfectly in version 6.5.3 doesn't work anymore.
The result is
curl: (35) TCP connection reset by peer

I have try using -k in the call, also indicate the ssl version --tlsv1.2 also update openssl. But none of them have solved the problem.

Any idea how to solve this problem. The thing is that even a simple query return the same message.

thanks in advance

1 Solution

Solution

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

View solution in original post

Solution

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

Is curl and nss up to date?

https://serverfault.com/questions/606135/curl-35-ssl-connect-error
https://support.plesk.com/hc/en-us/articles/360006345633-Unable-to-connect-to-a-website-over-HTTPS-u...

If my comment helps, please give it a thumbs up!

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

But still have the same problem

Try curl -k -v https://localhost:8089 and post the top of the response (remove anything sensitive)

If my comment helps, please give it a thumbs up!

CONNECT localhost:8089 HTTP/1.1
Host: localhost:8089
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established <
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0 curl: (35) TCP connection reset by peer

That looks very much like a firewall or something is dumping the connection.
Any chance you have a local FW?

If my comment helps, please give it a thumbs up!

The firewall is disabled

systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

Wait - cant believe i missed this:
can you run echo $https_proxy
and maybe echo $http_proxy

If my comment helps, please give it a thumbs up!

echo $https_proxy
http://x.x.x.x:8080/

echo $http_proxy
http://x.x.x.x:8080/

Are you performing this curl from Splunk to a remote webservice, or from another system to Splunk?
It might help if you can post the full curl statement (remove anything sensitive)

If my comment helps, please give it a thumbs up!

curl -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv https://localhost:8089/servicesNS/admin/xxxxxxx/search/jobs/export

Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...