I am on Splunk Version : 6.1.3 and trying to use splunk supported cipherSuite from TLSv1.2, but it is causing the CLI command to fail and as a result he is unable to posh the cluster bundle or use the REST end point of the Peer.
Here is Configuration:
../etc/system/local/server.conf [sslConfig]
../etc/system/local/server.conf allowSslCompression = false
../etc/system/default/server.conf allowSslRenegotiation = true
../etc/system/default/server.conf caCertFile = cacert.pem
../etc/system/default/server.conf caPath = ../etc/auth
../etc/system/default/server.conf certCreateScript = ../bin/splunk, createssl, server-cert
../etc/system/local/server.conf cipherSuite = AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
../etc/system/local/server.conf enableSplunkdSSL = true
../etc/system/default/server.conf sendStrictTransportSecurityHeader = false
../etc/system/default/server.conf sslKeysfile = server.pem
../etc/system/local/server.conf sslKeysfilePassword = #####
../etc/system/local/server.conf supportSSLV3Only = True
../etc/system/local/server.conf useClientSSLCompression = false
../etc/system/local/server.conf useSplunkdClientSSLCompression = false
Issue is that CLI command or REST endpoints is failing with error :
./splunk list monitor result in error *
Splunk is not running, and it must be for this operation. To start splunk, run "splunk start". (02)
CLI command to check the bundle status also result in error
splunk show cluster-bundle-status
*Failed to contact the master. ERROR:
Couldn't complete HTTP request: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshak*e failure
The REST endpoint gives error
curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d"search=search *"
curl: (35) SSL connect error
... View more