Splunk Enterprise

Error Messages on CISA Taxii Input


Evening All,

Have been working on setting up a Taxii feed pulling observables in from CISA/DHS however seem to be encountering the following error message which looks like an SSL error:

ssl.SSLError: [SSL] PEM lib (_ssl.c:3954)

I've been digging around but cant seem to find much on this exact error code. Cert and Key files  are defined correctly as we use those same cert/key files in a separate technology "MineMeld" which is working as expected. Those files are uploaded into the credential manager and documentation followed under the  https://docs.splunk.com/Documentation/ES/6.5.0/Admin/Downloadthreatfeed link.

2021-05-04 19:38:06,931+0000 ERROR pid=16982 tid=MainThread file=threatlist.py:download_taxii:473 | [SSL] PEM lib (_ssl.c:3954) Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 436, in download_taxii taxii_message = handler.run(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 171, in run return self._poll_taxii_11(parsed_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11 http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout']) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2 response = urllib.request.urlopen(req, timeout=timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open response = self._open(req, data) File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open '_open', req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain result = func(*args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open return self.do_open(self.get_connection, req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 1318, in do_open h = http_class(host, timeout=req.timeout, **http_conn_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 382, in get_connection key_password=self.key_password) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 437, in __init__ cert_file, key_file, password=key_password) ssl.SSLError: [SSL] PEM lib (_ssl.c:3954)

Any thoughts on what this could be at all?




0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...