Splunk Search

SSL error on non-SSL forwarder connection

Path Finder

We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.

In Splunkd.log we see the following error for the forwarder:

WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

What can be the cause of this error?

Splunk Employee
Splunk Employee

Hi mmoermans!

The UF will talk to the DS over port 8089 which is secured by default.

There are some key SSL configuration settings you can control, to ensure that the client/server or forwarder/indexers are on the same page when it comes to SSL.

I recommend taking a look at 6.6's known issues as it provides some insight on recent SSL changes/compatibility:

In your case I would start with server.conf and ensure sslConfig on the UF has the sslVersionsForClient & cipherSuite set to match your DS. What version is your DS running?

sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Check out server.conf.spec for more info on all the SSL settings:


0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!