sslv3 alert when connecting splunk soar export app...

simo1

Hello, trying to connect Splunk Enterprise with SOAR Export app to SOAR and there are sslv3 issues..

Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

It reports errors even though I have HTTPS certificate verification disabled. Any recommendations? It looks like SOAR not accept old sslv3.

i have splunk enteprise 9.4.3, soar export app 4.3.26 and soar 6.4.1.361

simo1

I have generated certificate in our CA, configured as web cert and it is visible now.. added CA chain to cert_bundle.pem in ~/etc/apps/phantom/local in splunk export app, and same on other soar side, added CA chain via python import_cert.py, tried to enabled SSL checking but still no luck and same error.

livehybrid

Hi @simo1

Have you disabled SSL verification based on this guide? https://docs.splunk.com/Documentation/PhantomApp/4.0.10/Install/ConfigureCerts#:~:text=Splunk%20Ente...

Where do you see those error messages occurring? Is there other context such as log file name/source or component?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

simo1

Yes, i have disabled certificate verification via this guide over REST API and it is showing disabled SSL verification status on top of the site.

These logs are from var/log/splunk/phantom_configuration.log

Here is whole part:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 250, in handle_POST
_, _ = pi.verify_server()
File "/opt/splunk/etc/apps/phantom/bin/phantom_instance.py", line 489, in verify_server
response = requests.get(
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/adapters.py", line 517, in send
raise SSLError(e, request=request)
phantom_requests.exceptions.SSLError: HTTPSConnectionPool(host='soar-fqdn', port=8443): Max retries exceeded with url: /rest/user_settings (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 285, in handle_POST
raise Exception(message)
Exception: Failed to communicate with user "" on SOAR server "https://soar-fqdn:8443".

simo1

anybody can help? Tried to do clean install fo splunk and soar, they are on same network, https verification disabled, firewall communication is allowed.. but still sslv3 handshake failure.. are there any different ssl configuration for rest api in splunk soar export app?

{ "ph-auth-token": "xxx=","server": "https://fqdn or ip" }

tried to enable https, add ca certificates and self signed certificates for server, but still no luck. when trying to curl on base os level, everything works. Only splunk soar export app dont know how to communicate..

sslv3 alert when connecting splunk soar export app to soar

configuration

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

sslv3 alert when connecting splunk soar export app to soar

configuration

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!