Re: SSL error on non-SSL forwarder connection

mmoermans · ‎10-02-2017

We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.

In Splunkd.log we see the following error for the forwarder:

WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

What can be the cause of this error?

mattymo · ‎10-02-2017

Hi mmoermans!

The UF will talk to the DS over port 8089 which is secured by default.

There are some key SSL configuration settings you can control, to ensure that the client/server or forwarder/indexers are on the same page when it comes to SSL.

I recommend taking a look at 6.6's known issues as it provides some insight on recent SSL changes/compatibility:
http://docs.splunk.com/Documentation/Splunk/6.6.1/ReleaseNotes/KnownIssues

In your case I would start with server.conf and ensure sslConfig on the UF has the sslVersionsForClient & cipherSuite set to match your DS. What version is your DS running?

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Check out server.conf.spec for more info on all the SSL settings:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Serverconf#SSL_Configuration_details

- MattyMo

SSL error on non-SSL forwarder connection

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!