IBM Support

QRadar: "Successful SSL handshake with unverified certificate" warning in log source configuration



When testing your firewall configuration in the Log Source Manager, it displays a warning similar to the following: "Warning: Successful SSL handshake with unverified certificate using Protocol [TLSv1.2] and Cipher Suite [SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
This warning is expected with self-signed certificates.


The logs flow into QRadar successfully, and the packets moving through the port are still encrypted, but the Firewall settings of the Log Source Configuration show a warning similar to the following:
SSL warning



The warning indicates that you are using a self-signed certificate. The certificate might be your own or the syslog-tls.cert from the QRadar console.
If you use the "Generated certificate" option for your "Server Certificate Type", the certificate in use is the syslog-tls.cert one. You can check that in the Protocol panel:
Protocol settings


Resolving The Problem

If you are using a self-signed certificate, this warning is expected.
If your network does not allow self-signed certificates, you must reconfigure your log source configuration. After your certificate is prepared, to configure a TLS log source, see the following documentation: Configuring a TLS log source.
Note: The Log Source Management app supports PEM Certificate and Private Key and PKCS12 Certificate Chain and Password certificate types.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 July 2023