All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk TA-tenable SSLV3_ALERT_HANDSHAKE_FAILURE

pl2345
Path Finder
‎11-19-2021 11:07 AM

We stopped receiving data from tenable a few days ago. When I went to investigate I could find nothing that changed. But now we cannot add/edit our tenable accounts without getting "No Tenable.sc Instance at <fqdn:443>".

Things I was able to do:

Log into tenable with the credentials just fine.

Perform a test-netconnection <FQDN> -Port 443

nslookup was good

able to ping

Things I tried but failed:

Use the FQDN and IP address.

The app is installed on our Heavy Forwarder which has the Search Head and KVStore roles. Splunk Enterprise versions is 8.2.2.1, Windows server 2019.

We were running TA-tenable version 5.0.1 and it wasnt working. I upgraded to TA-tenable 5.2.1 and got the same error.

From our logs:

 

 

python.log
11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [8132 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [400]: Bad Request -- No Tenable.sc Instance at <fqdn>". See splunkd.log/python.log for more details.

splunkd.log
11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [18606 TcpChannelThread] - Stack trace from python handler:\n
Traceback (most recent call last):\n
  File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 151, in init\n
    hand.execute(info)\n
  File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 636, in execute\n
    if self.requestedAction == ACTION_CREATE:   self.handleCreate(confInfo)\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n
    for entity in result:\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n
    for name, data, acl in meth(self, *args, **kwargs):\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 82, in wrapper\n
    check_existing(self, name),\n
  File "<string>", line 21, in validate\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 82, in validate\n
    self._loop_fields('validate', name, data, existing=existing)\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 78, in _loop_fields\n
    model.fields,\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 77, in <lambda>\n
    lambda f: getattr(f, meth)(data, *args, **kwargs),\n
  File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/field.py", line 51, in validate\n
    raise RestError(400, self.validator.msg)\nsplunktaucclib.rest_handler.error.RestError: REST Error [400]: Bad Request -- Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate.\n

ta_tenable_securitycenter.log
11-19-2021 07:20:52.55,558 ERROR pid=5980 tid=MainThread file=v1.py:_request:497 | Requests Error: HTTPSConnectionPool(host='<fqdn>', port=443): Max retries exceeded with url: /rest/system (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))

 

 

 I've been troubleshooting this the last few days and any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-22-2021 12:46 PM

The issue was resolved when we discovered RedSeal was unable to communicate with tenable as well . On our ACAS box SELinux was misconfigured and not allowing communication. Once we adjusted SELinux, connections were all restored.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-22-2021 12:46 PM

The issue was resolved when we discovered RedSeal was unable to communicate with tenable as well . On our ACAS box SELinux was misconfigured and not allowing communication. Once we adjusted SELinux, connections were all restored.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-19-2021 11:14 AM

As you can see, you're getting an SSL handshake error which means that either the negotiation of session parameters fails (have you upgraded either splunk, the app or the tenable server?) or the server's certificate is not accepted by the client (or vice-versa if you're using mutual authentication). Hasn't your tenable server's certificate just expired? Or haven't you reissued a cert for the server from another CA?

0 Karma
Reply
Solved! Jump to solution

pl2345
Path Finder
‎11-19-2021 12:35 PM

I brought up the certs to our ACAS admin, and they confirmed they did update the tenable certs.  They gave me the certs, but I'm not sure where to put them to get it to work.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...