Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sslv3 alert when connecting splunk soar export app to soar

simo1
Observer
a month ago

Hello, trying to connect Splunk Enterprise with SOAR Export app to SOAR and there are sslv3 issues..

Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

It reports errors even though I have HTTPS certificate verification disabled. Any recommendations? It looks like SOAR not accept old sslv3.

i have splunk enteprise 9.4.3, soar export app 4.3.26 and soar 6.4.1.361

Labels (1)
Labels
0 Karma
Reply

simo1
Observer
3 weeks ago

I have generated certificate in our CA, configured as web cert and it is visible now..  added CA chain to cert_bundle.pem in ~/etc/apps/phantom/local in splunk export app, and same on other soar side, added CA chain via python import_cert.py, tried to enabled SSL checking but still no luck and same error.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
4 weeks ago

Hi @simo1 

Have you disabled SSL verification based on this guide? https://docs.splunk.com/Documentation/PhantomApp/4.0.10/Install/ConfigureCerts#:~:text=Splunk%20Ente...

Where do you see those error messages occurring? Is there other context such as log file name/source or component?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

simo1
Observer
3 weeks ago

Yes, i have disabled certificate verification via this guide over REST API and it is showing disabled SSL verification status on top of the site. 

These logs are from var/log/splunk/phantom_configuration.log

Here is whole part:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 250, in handle_POST
_, _ = pi.verify_server()
File "/opt/splunk/etc/apps/phantom/bin/phantom_instance.py", line 489, in verify_server
response = requests.get(
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/adapters.py", line 517, in send
raise SSLError(e, request=request)
phantom_requests.exceptions.SSLError: HTTPSConnectionPool(host='soar-fqdn', port=8443): Max retries exceeded with url: /rest/user_settings (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 285, in handle_POST
raise Exception(message)
Exception: Failed to communicate with user "" on SOAR server "https://soar-fqdn:8443".

0 Karma
Reply

simo1
Observer
2 weeks ago

anybody can help? Tried to do clean install fo splunk and soar, they are on same network, https verification disabled, firewall communication is allowed.. but still sslv3 handshake failure.. are there any different ssl configuration for rest api in splunk soar export app?

{ "ph-auth-token": "xxx=","server": "https://fqdn or ip" }

tried to enable https, add ca certificates and self signed certificates for server, but still no luck. when trying to curl on base os level, everything works. Only splunk soar export app dont know how to communicate..

0 Karma
Reply

lujr
Loves-to-Learn
Friday

I am having this exact same issue. Have a case submitted with support and they have not resolved it yet.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...