SSL error on non-SSL forwarder connection

mmoermans · ‎10-02-2017

We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.

In Splunkd.log we see the following error for the forwarder:

WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

What can be the cause of this error?

mattymo · ‎10-02-2017

Hi mmoermans!

The UF will talk to the DS over port 8089 which is secured by default.

There are some key SSL configuration settings you can control, to ensure that the client/server or forwarder/indexers are on the same page when it comes to SSL.

I recommend taking a look at 6.6's known issues as it provides some insight on recent SSL changes/compatibility:
http://docs.splunk.com/Documentation/Splunk/6.6.1/ReleaseNotes/KnownIssues

In your case I would start with server.conf and ensure sslConfig on the UF has the sslVersionsForClient & cipherSuite set to match your DS. What version is your DS running?

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Check out server.conf.spec for more info on all the SSL settings:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Serverconf#SSL_Configuration_details

- MattyMo

SSL error on non-SSL forwarder connection

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

SSL error on non-SSL forwarder connection

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk