Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with my Amazon Web Services ELB with search head cluster Issues?

freaklin
Path Finder
‎01-30-2019 01:37 PM

I have a Splunk 7.1.2 cluster, using Search Head Cluster with AWS Load Balancer. It works fine. The server.conf says

[settings]
httpport = 443
enableSplunkWebSSL = true
privKeyPath = /path/to/mycert.key
caCertPath = /path/to/mycert.pem

Now I'm deploying a brand new cluster with the 7.2.3 version, with the same server.conf, but the load balancer doesn't recognize the instances as Healthy. In the splunkd.log, for every check from the load balancer, which is a get on https://splunkhostIP/en-US/account/login?return_to=%2Fen-US%2F, I receive these two messages when It happens.

 01-30-2019 21:27:18.107 +0000 WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='handshake failure'.
01-30-2019 21:27:18.107 +0000 WARN  HttpListener - Socket error from 172.16.77.204:3955 while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

The IP in the message is a Loadbalancer internal IP, calling the instance for healthcheck.

The old search head cluster instances don't show me these same warning messages.

The old cluster has the exact same scenario and except for the Splunk version.

The certificate file is the same for both, and they work exactly alike, calling on the browser with a name, for the Certificate is a Digicert Signed.

And calling using IP, they complain about the certificate, but when I accept to see even "unsafe", they have the same behavior.

I saw some issues with the same Warning messages, but the issues are not like mine.

I really appreciate any help.

Reply

blacktaco
New Member
‎07-09-2019 02:00 PM

I am encountering the same issue. After upgrading from 6.5.x -> 6.6 -> 7.3, communication between the ELB and instances behind result in time out. Though we set the ciphers on the ELB to explicitly use stronger algorithms, the ELB uses ssl3 ciphers.

When going to the search head directly, however, communication with TLSv1.2 ciphers are successful.

Not sure exactly what the issue is, but all tests allude to a bad config on the ELB.

If functionality is more important than security, you can enable all cipher suites. However, it is not recommended you keep these settings. If you come across a solution, please be sure to share it on the thread.

web.conf

sslCiphers = ALL

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...