streamfwd SSL decryption error (DSSL library err...

ekremikizoglu · ‎10-18-2016

Hi,

I am testing "App For Stream" App(6.6.1) to capture https traffics. I added pem file to keystore.db as descr. belowlink
http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder

But i am getting errors in streamfwd.log. (DSSL library error code -41)

Error line:
2016-10-17 17:37:02 WARN 11592 stream.SnifferReactor - SSL decryption error (DSSL library error code -41) (ssl) [c=yyyyyyy:61914, s=xxxxxx:8282]

Anyone can help me?

Thanks

ekremikizoglu · ‎11-29-2016

Hi,

The issue appears to be caused by the Extended Master Secret Key extension (https://tools.ietf.org/html/rfc7627) being negotiated between the client and the server. Stream currently doesn't support this extension, so the workaround would be to turn it off on the server side.

Thanks.

vshcherbakov_sp · ‎10-18-2016

Hi @ekremikizoglu,

This is a rather rare error - it basically indicates a symmetric decryption failure. Do you happen to know what TLS version/cipher suite is been negotiated? (you can use Stream to track it by capturing tcp traffic and enabling ssl_cipher_name and/or ssl_cipher_id fields)

ekremikizoglu · ‎10-26-2016

Hi,

I generated this certificate on iis server ,Self signed TLS1.2 RSA AES_256_GCM, for testing decription feature of stream app. I published website and enable ssl communication. Then i installed splunk to capture https traffic. But i got the error.

streamfwd SSL decryption error (DSSL library error code -41)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases