TLDR: I was missing 1. outputs.conf on the sender (client) useSSL = true Thank you to michael_bates_1 , in thread https://community.splunk.com/t5/Getting-Data-In/Why-am-I-having-trouble-with-TLS/m-p/634513/highlight/false#M108573 After following the documentation on how to enable ssl between forwarders and indexers, i got the error ERROR TcpInputProc - Error encountered for connection from src=10.1.1.34:50772. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol In the documentation: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates#Configuration_file_examples_for_configuring_TLS_certificates_on_receiving_indexers , it specifies [SSL] requireClientCert = true Which if you drop, will affect your outputs.conf -> useSSL. It says if requireClientCert is defined, then useSSL will be true. In my case, I mindlessly thought you could set requrieClientCert=false... https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf #----Secure Sockets Layer (SSL) Settings----
# To set up SSL on the forwarder, set the following setting/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver
# that must be certified.
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
"false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
determine whether or not to use SSL to connect.
* Default: legacy
... View more