I recently upgraded a Splunk cluster from v6.5.2 to v7.0.1. There was one thing that wasn't covered in the release notes. After upgrading my first host (master node), I couldn't execute CLI commands. Splunk threw the following error: $ splunk enable maintenance-mode Couldn't complete HTTP request: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Splunk Support admitted that they have some SSL bugs in the new release, and that this was one of them. To workaround this, you can make the following edits in server.conf: [sslConfig] sslVersions = *,-ssl2 sslVersionsForClient = *,-ssl2 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH Once this is done, restart Splunk and try the CLI again. You should be back in business.
I had to update server.conf on most of my Splunk server hosts (master node, search heads, deployers, deployment server, license master, etc.) but for some reason not on my indexers. I'm not sure why as both my indexers and search heads run the same OS and had the same OpenSSL package installed. Hopefully this helps anyone out there with a similar issue.
4 Comments
Rik
4/1/2018 08:10:43 am
This was a lifesaver. Thank you! Searched and debugged for hours untill i found your article.
Reply
Carl
7/26/2018 02:07:16 pm
Thanks! Bit me today trying to change cipherSuite on Splunk 7.0.3 system.
Reply
Mike B.
11/25/2019 03:12:08 am
Thanks so much! This is still a "bug" in 7.2.7! You rock!
Reply
Mitch
12/31/2019 08:47:15 am
This also worked for me and was configured on only the Heavy Forwarder for Splunk 7.2.6. Thanks!
Reply
Leave a Reply. |
AuthorMason Morales Archives
October 2020
Categories |