topic Re: Does Splunk for NetWitness support SSL access to the Rest API? in All Apps and Add-ons

Does Splunk for NetWitness support SSL access to the Rest API?

pauln75 — Mon, 28 Sep 2020 10:24:11 GMT

We have a netwitness box which has its Rest interface on an SSL URL. Does the Splunk for NetWitness app support SSL URLs.

Can you specify an https URL?

top_level_url=https://servername:50104/

Thanks, Paul

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rataide — Wed, 08 Feb 2012 12:24:00 GMT

Hi Paul,

I haven't tested it but it should. The app uses Python's urllib2 library that has support for HTTPS too.

Is it not working for you? I would expect it to be supported and if not I will definitely look at fixing it.

Thank you,

Rui

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rgonzale6 — Wed, 08 Feb 2012 21:40:59 GMT

I'd be interested as well. Out of the box I get this error:

2012-Feb-08 21:33:10 - ERROR: <urlopen error [Errno 8] _ssl.c:508: EOF occurred in violation of protocol>
2012-Feb-08 21:33:10 - ERROR: Couldn't execute summary query. Existing...

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rataide — Wed, 08 Feb 2012 22:46:31 GMT

I will have a look at it as soon as possible.

Thank you for the feedback,

Rui

Re: Does Splunk for NetWitness support SSL access to the Rest API?

pauln75 — Fri, 10 Feb 2012 19:08:43 GMT

Hey Rui,

I get the exact msgs as rgonzale6. Thanks for the help.

Paul

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rataide — Mon, 13 Feb 2012 18:56:25 GMT

Hi all,

Quick update! This is definitely an issue, I just confirmed it on my end too.

It's to do with the negotiation of SSL, the server only accepts TLSv1 and the client keeps trying to negotiate SSLv2.

I'm looking into it. Apologies for the inconvenience.

Thank you,

Rui

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rgonzale6 — Mon, 13 Feb 2012 20:33:07 GMT

Makes sense, as I am able to do this just fine...

curl -u user:pass --tls --insecure -vv "https://netwitness_server.foo.bar:50103/sdk?

msg=summary&id1=0&id2=0&size=2000&force-content-type=text/plain"

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rataide — Tue, 14 Feb 2012 14:41:50 GMT

Thank you for bringing this issue to my attention.

After looking into the issue, the problem lies, as mentioned in the comments, in the fact that Python's default urllib2 and SSL libraries are hard-coded to only negotiate SSLv23 with servers, however in order to be FIPS compliant the NW services only accept TLS connections.

The main reason to go with default/existing libraries was to avoid users having to install additional packages under Splunk's Python distribution and therefore making the deployment of this app easier. I can definitely look at other options but that will force code changes and the need to install additional Python libraries under Splunk, not impossible but not trivial either.

There is a major hack that will solve the issue but one that most, me included, would rather not use. Simply change the hard-coded value from SSLv23 to TLSv1 on your SSL module/library in Splunk's Python distribution. Make sure you save a backup copy of the file before you make any changes!

The gory details:

Filename: $SPLUNK_HOME/lib/python2.7/ssl.py
Line: 365
Function: wrap_socket
Change: ssl_version=PROTOCOL_SSLv23 to ssl_version=PROTOCOL_TLSv1

My initial tests show that Splunk continues to work and splunkd supports TLSv1 so that shouldn't cause any major problems.

I will look at possible alternatives and please bare in mind that any Splunk upgrade can potentially break this hack. I will also note on the README and App page that SSL is currently not supported by Python and will redirect other users to this answer.

Thank you,

Rui

Re: Does Splunk for NetWitness support SSL access to the Rest API?

rgonzale6 — Wed, 15 Feb 2012 22:47:37 GMT

Success! Worked perfectly for me. Thanks for the follow-up!