Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sslv3 alert when connecting splunk soar export app to soar

simo1
New Member
a week ago

Hello, trying to connect Splunk Enterprise with SOAR Export app to SOAR and there are sslv3 issues..

Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

It reports errors even though I have HTTPS certificate verification disabled. Any recommendations? It looks like SOAR not accept old sslv3.

i have splunk enteprise 9.4.3, soar export app 4.3.26 and soar 6.4.1.361

Labels (1)
Labels
0 Karma
Reply

simo1
New Member
Thursday

I have generated certificate in our CA, configured as web cert and it is visible now..  added CA chain to cert_bundle.pem in ~/etc/apps/phantom/local in splunk export app, and same on other soar side, added CA chain via python import_cert.py, tried to enabled SSL checking but still no luck and same error.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @simo1 

Have you disabled SSL verification based on this guide? https://docs.splunk.com/Documentation/PhantomApp/4.0.10/Install/ConfigureCerts#:~:text=Splunk%20Ente...

Where do you see those error messages occurring? Is there other context such as log file name/source or component?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

simo1
New Member
Thursday

Yes, i have disabled certificate verification via this guide over REST API and it is showing disabled SSL verification status on top of the site. 

These logs are from var/log/splunk/phantom_configuration.log

Here is whole part:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 250, in handle_POST
_, _ = pi.verify_server()
File "/opt/splunk/etc/apps/phantom/bin/phantom_instance.py", line 489, in verify_server
response = requests.get(
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/phantom/bin/phantom_requests/adapters.py", line 517, in send
raise SSLError(e, request=request)
phantom_requests.exceptions.SSLError: HTTPSConnectionPool(host='soar-fqdn', port=8443): Max retries exceeded with url: /rest/user_settings (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1161)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/phantom/bin/phantom_rest.py", line 285, in handle_POST
raise Exception(message)
Exception: Failed to communicate with user "" on SOAR server "https://soar-fqdn:8443".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...