Hi team,
I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance.
aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure
Output:
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
Thanks
OK. Wait a second. Do you even have TLS enabled on this port?
Check output of
openssl s_client -connect your_splunk_ip:8088
for errors as well as check your _internal index for errors regarding your client's IP.
Hi team,
In this output, it appears that TLS is enabled based on the following information:
XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088
CONNECTED(00000003)
140704518969088:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 294 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1705416962
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I dont understand but the "Protocol" field indicates TLS version 1.3, and the "Cipher" field would typically show the cipher suite being used. The "Verify return code" of 0 indicates that the certificate verification was successful. However, there is an error related to the TLS protocol version alert, which might be due to a compatibility issue between the OpenSSL version used and the TLS version supported by the server. If this is not causing any problems with the connection, it might be negligible.
No. It can be a bit misleading but it shows that TLS isn't properly configured on this port. With TLS you should have gotten a server certificate and all the gory encryption protocols details.
Also as you noticed yourself in the other comment - you can properly call curl requesting a simple non-encrypted http:// resource. Since Splunk doesn't serve both TLS-enabled and not-enabled services on the same port, it means you simply have to configure it.
Hi team,
Thank you for your support. The problem was solved when I changed the command by typing hostname instead of IP.
Hi,
First of all, thank you for your response, I am sharing the outputs I got when I tried using HTTP and HTTPS below. It may be due to the SSL setting of the Http collector, but I think there will be other logs affected.
XXX.XXX@XXX-XXX-XXX ~ % curl -kv http://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure
* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
> POST /services/collector/raw HTTP/1.1
> Host: 1.1.1.1:8088
> User-Agent: curl/8.1.2
> Accept: */*
> Authorization: Splunk XXX-XXX-XXX-XXX-XXX
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jan 2024 14:31:55 GMT
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 27
< Vary: Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
* Connection #0 to host 1.1.1.1 left intact
{"text":"Success","code":0}%
XXX.XXX@XXX-XXX-XXX ~ % curl -kv https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure
* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
You seem to be specifying that you want to use SSL (https) but you don't appear to be providing any certificates etc. Have you tried using http instead?