Splunk Enterprise Security

Splunk web is not accessible after installing ES 4.7, Socket error from x.x.x.x while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

saurabh_tek11
Communicator

i have installed ES 4.7 and it took long time to get installed (left it running last evening and this morning ES was up and running). pending restart. i restarted splunk but after that splunk web is not accessible.

same was happening when i tried installing ES 5(known issue) yesterday but then i removed that and fell back on more stable (IMO) ES4.7 version. Now my splunk web is not accessing on https any idea how to fix this

$INSTALL/var/log/splunk/splunkd.log says -

04-19-2018 10:08:03.390 +0400 WARN  HttpListener - Socket error from 10.1.23.202 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

There are rw permissions to splunk (user) on /opt/splunk/etc/myinstall/splunkd.xml .

0 Karma
1 Solution

saurabh_tek11
Communicator

The intermediate WAF was the culprit.

View solution in original post

0 Karma

saurabh_tek11
Communicator

The intermediate WAF was the culprit.

View solution in original post

0 Karma

burakcinar
Path Finder

what's your splunk version ?
it seems there are some known issues for SSL .

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

server.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf?

sample server.conf

 [sslConfig]
 sslVersions = *,-ssl2
 sslVersionsForClient = *,-ssl2
 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
0 Karma

saurabh_tek11
Communicator

@burakcinar, The splunk version is splunk Enterprise 7.0.2 and ES version is 4.7
I have added your shared configs in my /system/local/server.conf and restarted splunk but that didnt bring the web accessible. Could you suggest something else.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!