All Apps and Add-ons

Splunk TA-tenable SSLV3_ALERT_HANDSHAKE_FAILURE

pl2345
Path Finder

We stopped receiving data from tenable a few days ago. When I went to investigate I could find nothing that changed. But now we cannot add/edit our tenable accounts without getting "No Tenable.sc Instance at <fqdn:443>".

Things I was able to do:

Log into tenable with the credentials just fine.

Perform a test-netconnection <FQDN> -Port 443

nslookup was good

able to ping

Things I tried but failed:

Use the FQDN and IP address.

The app is installed on our Heavy Forwarder which has the Search Head and KVStore roles. Splunk Enterprise versions is 8.2.2.1, Windows server 2019.

We were running TA-tenable version 5.0.1 and it wasnt working. I upgraded to TA-tenable 5.2.1 and got the same error.

From our logs:

 

 

python.log
11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [8132 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [400]: Bad Request -- No Tenable.sc Instance at <fqdn>". See splunkd.log/python.log for more details.

splunkd.log
11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [18606 TcpChannelThread] - Stack trace from python handler:\n
Traceback (most recent call last):\n
  File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 151, in init\n
    hand.execute(info)\n
  File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 636, in execute\n
    if self.requestedAction == ACTION_CREATE:   self.handleCreate(confInfo)\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n
    for entity in result:\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n
    for name, data, acl in meth(self, *args, **kwargs):\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 82, in wrapper\n
    check_existing(self, name),\n
  File "<string>", line 21, in validate\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 82, in validate\n
    self._loop_fields('validate', name, data, existing=existing)\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 78, in _loop_fields\n
    model.fields,\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 77, in <lambda>\n
    lambda f: getattr(f, meth)(data, *args, **kwargs),\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/field.py", line 51, in validate\n
    raise RestError(400, self.validator.msg)\nsplunktaucclib.rest_handler.error.RestError: REST Error [400]: Bad Request -- Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate.\n

ta_tenable_securitycenter.log
11-19-2021 07:20:52.55,558 ERROR pid=5980 tid=MainThread file=v1.py:_request:497 | Requests Error: HTTPSConnectionPool(host='<fqdn>', port=443): Max retries exceeded with url: /rest/system (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))

 

 

 I've been troubleshooting this the last few days and any help would be appreciated.

Labels (1)
0 Karma
1 Solution

pl2345
Path Finder

The issue was resolved when we discovered RedSeal was unable to communicate with tenable as well . On our ACAS box SELinux was misconfigured and not allowing communication. Once we adjusted SELinux, connections were all restored.

View solution in original post

0 Karma

pl2345
Path Finder

The issue was resolved when we discovered RedSeal was unable to communicate with tenable as well . On our ACAS box SELinux was misconfigured and not allowing communication. Once we adjusted SELinux, connections were all restored.

View solution in original post

0 Karma

PickleRick
Champion

As you can see, you're getting an SSL handshake error which means that either the negotiation of session parameters fails (have you upgraded either splunk, the app or the tenable server?) or the server's certificate is not accepted by the client (or vice-versa if you're using mutual authentication). Hasn't your tenable server's certificate just expired? Or haven't you reissued a cert for the server from another CA?

0 Karma

pl2345
Path Finder

I brought up the certs to our ACAS admin, and they confirmed they did update the tenable certs.  They gave me the certs, but I'm not sure where to put them to get it to work.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!