Getting SSL_GET_RECORD:wrong version number error ...

davoilar · ‎03-09-2020

Hello!

I'm using version 7.3.4 of Splunk Light, rpm install on RHEL 8, forwarder same version and I'm getting this error in the forwarder log:"while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number", what is causing that?

Splunk console recognizes the host the forwarder is located, but unable to exchange data.

Thanks,
Dave

xavierashe · ‎03-09-2020

This looks like a TLS/SSL version mismatch. Try debugging the connection using

$ openssl s_client -debug -connect SPLUNK_SERVER:PORT

and then try adding flags from this set: -no_ssl2, -no_ssl3 and -no_tls1 to work out which version of SSL/TLS has to be enabled for the connection to succeed.

davoilar · ‎03-09-2020

Hello,

It is a bit disconcerting that both endpoints, server and forwarder, we installed on RHEL 8 via their respective RPM packages and I see this out of the box. Both end appear to be using TLS1.2.

Thanks,
Dave

xavierashe · ‎03-09-2020

Agreed. Is the connection going through web proxy or load balancer that could be monkeying with the TLS handshake?

davoilar · ‎03-09-2020

Nope. these are talking directly to one another with out a load balancer, or nginx or any other proxy mechanism in the middle.

:^)

Dave

Getting SSL_GET_RECORD:wrong version number error in Splunk Light 7.3.4

troubleshooting

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Getting SSL_GET_RECORD:wrong version number error in Splunk Light 7.3.4

troubleshooting

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25