Upon investigating the underlying Python code for the search peer check I found that these settings need to be set in server.conf: [sslConfig]
requireClientCert = True
verifyServerCert = True Here is the search to check those specific settings from the GUI: | rest /services/configs/conf-server/sslConfig | table requireClientCert, verifyServerCert Both of these values should exist and be set to 1 for the check to pass. Interestingly, I cannot find "verifyServerCert" referenced in any documentation. Wondering if this is a bug in the check itself and the developer actually meant "sslVerifyServerCert". While these settings are what is required by the check, it will not make the check pass. This is due the utility library used by the Upgrade Readiness App not supporting client certificate authentication. When running with what should be passing settings, entries in logs similar to the following are found like @triptraptresko posted: 09-09-2022 08:00:06.093 +0000 WARN SSLCommon [10232 HttpDedicatedIoThread-7] - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.
09-09-2022 08:00:06.093 +0000 WARN HttpListener [10232 HttpDedicatedIoThread-7] - Socket error from 127.0.0.1:36446 while idling: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate This problem exists in at least version 9.0.3 (appears to be the latest version of the app as shipped with Splunk Enterprise 9.0.1) of the app. I don't have any other data to support it existing in other versions, but presume that it exists in the versions prior to 9.0.3 as well. For a temporary workaround, the utility can be patched to support client certificate authentication with the following modifications to the "get_connection_object" method (line 721 for me) in the etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_utils.py file: def get_connection_object(session_key, owner=None):
"""
Create a new connection object for oneshot.
:param session_key: Session key of the logged in user.
:return: oneshot connection object.
"""
logging.info("Creating a new connection object for oneshot.")
try:
args = {"token": session_key}
if owner:
args["owner"] = owner
# begin fix for client cert auth
args["key_file"] = "<path to key file>"
args["cert_file"] = "<path to cert file>"
# end fix for client cert auth
service = client.connect(**args)
return service
except Exception as e:
logging.exception(str(e))
return None Restart Splunk after the code update, and the app should be able to perform the checks successfully without the peer certificate errors. Both the occurrence of "verifyServerCert" in the check and unsupported client certificate authentication seem like bugs to me, so I'm going to try to report them appropriately.
... View more