Splunk Search

SSL error on non-SSL forwarder connection

mmoermans
Path Finder

We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.

In Splunkd.log we see the following error for the forwarder:

WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

What can be the cause of this error?

mattymo
Splunk Employee
Splunk Employee

Hi mmoermans!

The UF will talk to the DS over port 8089 which is secured by default.

There are some key SSL configuration settings you can control, to ensure that the client/server or forwarder/indexers are on the same page when it comes to SSL.

I recommend taking a look at 6.6's known issues as it provides some insight on recent SSL changes/compatibility:
http://docs.splunk.com/Documentation/Splunk/6.6.1/ReleaseNotes/KnownIssues

In your case I would start with server.conf and ensure sslConfig on the UF has the sslVersionsForClient & cipherSuite set to match your DS. What version is your DS running?

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Check out server.conf.spec for more info on all the SSL settings:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Serverconf#SSL_Configuration_details

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...