Splunk Dev

Splunk python SDK SSL error

patelaa
Explorer

When running a python script I keep getting the following error when trying to connect to splunk version 6.6.1:

ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

The exact same script runs fine when connecting to a different splunk instance running 6.5.2 and https is turned on for both instances.

I'm running the python script on OSX 10.12.6, the splunk sdk is v1.6.2, and python v2.7.10.

Anyone know what I'm doing wrong here?

1 Solution

patelaa
Explorer

So after shelving my project for a little while I came back to it and got it figured out. It definitely had to do with the SSL versions. I came across a Splunk docs page of known 6.6.1 issues and used the workaround from issue SPL-139019

2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 default sslVersions, cipherSuites

Workaround:
Users can do either of the following:
1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

View solution in original post

patelaa
Explorer

So after shelving my project for a little while I came back to it and got it figured out. It definitely had to do with the SSL versions. I came across a Splunk docs page of known 6.6.1 issues and used the workaround from issue SPL-139019

2017-03-20 SPL-139019 Possible compatibility issues between Python / SDK clients and new 6.6 default sslVersions, cipherSuites

Workaround:
Users can do either of the following:
1. Overwrite the new Splunk 6.6 server.conf [sslConfig] sslVersions, cipherSuites with your own settings that are compatible with your version of OpenSSL, e.g. the previous defaults from 6.5.x are compatible with OpenSSL 0.9.8 on Mac OSX:

[sslConfig]
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

kkrishnan_splun
Splunk Employee
Splunk Employee

Thank you. This resolved the issue I was having too.

0 Karma

allisonwalther
Path Finder

Thanks for looking into this a little more!

I found that Mac OSx's sys Python screws things up. Another solution to this problem would be 'brew install python'. It installs a 'python2' package with a newer version of openssl (>1). You can then use 'python2' to run programs and entirely avoid making any Splunk configuration changes.
Note: to install modules for 'python2' package, use 'python2 -m pip install '.

ciorg
Engager

Thank you - this fixed my problem. A good reminder to not base my program on the system python.

abhutiani
Explorer

Not sure if you are still having this issue, but I just ran into the same problem and had to update my OpenSSL version in order to support the TLS 1.2 connection. After updating that, everything worked fine.

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is saying tls version 1 is in use.

In /opt/splunk/etc/system/local/server.conf add or modify the following:

[sslConfig]
sslVersions=tls1.2

The above will force tls1.2 after a restart.

castille_cisco
Engager

Doesn´t work.... any other idea?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you post your code?

0 Karma

castille_cisco
Engager

trying with basic connection, to isolate... in v6.5.x worked fine.

import splunklib.client as client

HOST = "xxx.xxx.xxx.xxx"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme

Create a Service instance and log in

service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

Print installed apps to the console to verify login

for app in service.apps:
print app.name

0 Karma

jkat54
SplunkTrust
SplunkTrust

Send me the output of this please

 ./splunk cmd openssl s_client -connect localhost:8089
0 Karma

castille_cisco
Engager

CONNECTED(00000003)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com

verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com

i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com

Server certificate
-----BEGIN CERTIFICATE-----
MIICLTCCAZYCCQDR5ridhjM7qzANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
MbvfdIQ7Q309v2zuclnJ8rZrFUmlmMlBuYFxE85HWX1EfZN4O1xhAmp6t385KZ8l
5hMSuUeUNEVqAIY4K3CDaVAKSDROLbtfMQIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
AFrm/LzR52qBKau5gpu570lVkYu4NaOZqbtpnkC1cYYLFS7gkYpEoFfrFCYqCpAB
ic6lLIBCeRXWW95Yhi195v2lVp4PwG5lQ2Nc0EtsHQhJ68/ZXRjRbjeagrt01VxQ
GU1QbDgVVKD8NdFAxlGUtY+jLRVTt/ThiqK1ua2fD94A
-----END CERTIFICATE-----
subject=/CN=SplunkServerDefaultCert/O=SplunkUser

issuer=/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com

No client certificate CA names sent
Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 1736 bytes and written 441 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 391D266371C5A7C685F5376946A1115DAFF7101DDB56181C5A31A58AC3A38E13
Session-ID-ctx:
Master-Key: D7496B27187A45FF6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c a7 b4 c0 33 a0 f9 81-57 cb 94 f7 e2 81 f3 be l...3...W.......
0010 - 0a 38 ab 43 cb 44 d0 9a-5e f0 6e 94 8e 44 08 88 .8.C.D..^.n..D..
0020 - 64 23 c0 3e 0b 48 54 2a-8c 0e 98 24 cc 4b 90 aa d#.>.HT*...$.K..
0030 - 10 10 f1 42 3f 30 71 1e-cf 80 fc 1f 44 f0 dc 86 ...B?0q.....D...
0040 - dd 09 db a8 dc c2 88 07-b9 a5 fd 91 2a 01 af 9c ............*...
0050 - c7 2e 0c 8b ad 49 d0 49-f5 f7 ed d1 1a ce 8c a5 .....I.I........
0060 - bc 06 6a 55 af ee ca 48-c7 16 a5 9d 37 e8 fe 1f ..jU...H....7...
0070 - 0b 19 9f 8c 07 d6 a1 cc-5f 15 3a fc b2 dc e2 6a ........_.:....j
0080 - 00 05 61 0a 95 12 be 21-83 b8 48 81 14 f8 af da ..a....!..H.....
0090 - 04 9d 02 6d 3d 8d d2 fa-8a 53 a7 d0 91 88 63 52 ...m=....S....cR

Compression: 1 (zlib compression)
Start Time: 1501815599
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

0 Karma

jkat54
SplunkTrust
SplunkTrust

I guess it's a long shot, but try regenerating the server cert:

   # /opt/splunk/bin/splunk createssl server-cert 2048
0 Karma

allisonwalther
Path Finder

@castille_cisco Did you ever resolve your issue? I'm running into literally the exact same issue. Same script, same output, same versions of OSX, Python.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...