Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SSL error on non-SSL forwarder connection

mmoermans
Path Finder
‎10-02-2017 05:20 AM

We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.

In Splunkd.log we see the following error for the forwarder:

WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

What can be the cause of this error?

Reply

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 05:54 AM

Hi mmoermans!

The UF will talk to the DS over port 8089 which is secured by default.

There are some key SSL configuration settings you can control, to ensure that the client/server or forwarder/indexers are on the same page when it comes to SSL.

I recommend taking a look at 6.6's known issues as it provides some insight on recent SSL changes/compatibility:
http://docs.splunk.com/Documentation/Splunk/6.6.1/ReleaseNotes/KnownIssues

In your case I would start with server.conf and ensure sslConfig on the UF has the sslVersionsForClient & cipherSuite set to match your DS. What version is your DS running?

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Check out server.conf.spec for more info on all the SSL settings:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Serverconf#SSL_Configuration_details

- MattyMo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...