I've battled this issue so many times - nclancy, your comment was very helpful, however - I still had some issues.
At first, I opted to add the following to $SPLUNK_HOME/etc/system/local/inputs.conf:
[applicationsManagement]
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
I believe there's a bug, because after a Splunk restart, the btool debug didn't report the change:
$ ./splunk btool inputs list --debug | grep cipher
/opt/splunkforwarder/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
I ended up editing $SPLUNK_HOME/etc/system/default/inputs.conf and it did the trick. No more SSLv3 errors!
If you're at Splunk and can replicate this issue, I'm happy to provide a diag so we can address this bug.
Thanks!
... View more