All Apps and Add-ons

Does Splunk for NetWitness support SSL access to the Rest API?

pauln75
Explorer

We have a netwitness box which has its Rest interface on an SSL URL. Does the Splunk for NetWitness app support SSL URLs.

Can you specify an https URL?

top_level_url=https://servername:50104/

Thanks, Paul

rataide
Path Finder

Thank you for bringing this issue to my attention.

After looking into the issue, the problem lies, as mentioned in the comments, in the fact that Python's default urllib2 and SSL libraries are hard-coded to only negotiate SSLv23 with servers, however in order to be FIPS compliant the NW services only accept TLS connections.

The main reason to go with default/existing libraries was to avoid users having to install additional packages under Splunk's Python distribution and therefore making the deployment of this app easier. I can definitely look at other options but that will force code changes and the need to install additional Python libraries under Splunk, not impossible but not trivial either.

There is a major hack that will solve the issue but one that most, me included, would rather not use. Simply change the hard-coded value from SSLv23 to TLSv1 on your SSL module/library in Splunk's Python distribution. Make sure you save a backup copy of the file before you make any changes!

The gory details:


Filename: $SPLUNK_HOME/lib/python2.7/ssl.py
Line: 365
Function: wrap_socket
Change: ssl_version=PROTOCOL_SSLv23 to ssl_version=PROTOCOL_TLSv1




My initial tests show that Splunk continues to work and splunkd supports TLSv1 so that shouldn't cause any major problems.

I will look at possible alternatives and please bare in mind that any Splunk upgrade can potentially break this hack. I will also note on the README and App page that SSL is currently not supported by Python and will redirect other users to this answer.

Thank you,

Rui

rgonzale6
Path Finder

Success! Worked perfectly for me. Thanks for the follow-up!

0 Karma

rgonzale6
Path Finder

Makes sense, as I am able to do this just fine...

curl -u user:pass --tls --insecure -vv "https://netwitness_server.foo.bar:50103/sdk?

msg=summary&id1=0&id2=0&size=2000&force-content-type=text/plain"

0 Karma

rataide
Path Finder

Hi all,

Quick update! This is definitely an issue, I just confirmed it on my end too.

It's to do with the negotiation of SSL, the server only accepts TLSv1 and the client keeps trying to negotiate SSLv2.

I'm looking into it. Apologies for the inconvenience.

Thank you,

Rui

pauln75
Explorer

Hey Rui,

I get the exact msgs as rgonzale6. Thanks for the help.

Paul

rataide
Path Finder

I will have a look at it as soon as possible.

Thank you for the feedback,

Rui

rgonzale6
Path Finder

I'd be interested as well. Out of the box I get this error:

2012-Feb-08 21:33:10 - ERROR: <urlopen error [Errno 8] _ssl.c:508: EOF occurred in violation of protocol>
2012-Feb-08 21:33:10 - ERROR: Couldn't execute summary query. Existing...
0 Karma

rataide
Path Finder

Hi Paul,

I haven't tested it but it should. The app uses Python's urllib2 library that has support for HTTPS too.

Is it not working for you? I would expect it to be supported and if not I will definitely look at fixing it.

Thank you,

Rui

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...