Splunk Enterprise

Error Messages on CISA Taxii Input

OiskyPoisky
Explorer

Evening All,

Have been working on setting up a Taxii feed pulling observables in from CISA/DHS however seem to be encountering the following error message which looks like an SSL error:

ssl.SSLError: [SSL] PEM lib (_ssl.c:3954)

I've been digging around but cant seem to find much on this exact error code. Cert and Key files  are defined correctly as we use those same cert/key files in a separate technology "MineMeld" which is working as expected. Those files are uploaded into the credential manager and documentation followed under the  https://docs.splunk.com/Documentation/ES/6.5.0/Admin/Downloadthreatfeed link.

2021-05-04 19:38:06,931+0000 ERROR pid=16982 tid=MainThread file=threatlist.py:download_taxii:473 | [SSL] PEM lib (_ssl.c:3954) Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 436, in download_taxii taxii_message = handler.run(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 171, in run return self._poll_taxii_11(parsed_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11 http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout']) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2 response = urllib.request.urlopen(req, timeout=timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open response = self._open(req, data) File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open '_open', req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain result = func(*args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open return self.do_open(self.get_connection, req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 1318, in do_open h = http_class(host, timeout=req.timeout, **http_conn_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 382, in get_connection key_password=self.key_password) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 437, in __init__ cert_file, key_file, password=key_password) ssl.SSLError: [SSL] PEM lib (_ssl.c:3954)

Any thoughts on what this could be at all?

 

Cheers,

Tom

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!