All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] TA-crowdstrike-falcon-event-streams

dsfyxcasdcertzu
Explorer
‎01-26-2024 07:46 AM

Hello,

we've encountered a problem with the TA-crowdstrike-falcon-event-streams TA, which was functional in the past.

Splunk Enterprise onPrem
VERSION=9.1.2
BUILD=b6b9c8185839
PRODUCT=splunk
PLATFORM=Linux-x86_64

When opening the UI to configure the crowdstrike Auth we'll end up with Err 500. Same for the other views.
I've tried to reinstall it, but it didn't change anything.

Splunkd logs the following:

 

 

01-26-2024 16:13:29.817 +0100 ERROR AdminManagerExternal [3102377 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen\n    chunked=chunked,\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request\n    self._validate_conn(conn)\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn\n    conn.connect()\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/connection.py", line 421, in connect\n    tls_in_tls=tls_in_tls,\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket\n    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl\n    return ssl_context.wrap_socket(sock)\n  File "/opt/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket\n    session=session\n  File "/opt/splunk/lib/python3.7/ssl.py", line 878, in _create\n    self.do_handshake()\n  File "/opt/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake\n    self._sslobj.do_handshake()\nssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 449, in send\n    timeout=timeout\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen\n    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]\n  File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment\n    raise MaxRetryError(_pool, url, error or ResponseError(cause))\nurllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 124, in wrapper\n    for name, data, acl in meth(self, *args, **kwargs):\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 162, in get\n    self.reload()\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunktaucclib/rest_handler/handler.py", line 259, in reload\n    action="_reload",\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 320, in wrapper\n    return request_fun(self, *args, **kwargs)\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 79, in new_f\n    val = f(*args, **kwargs)\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 727, in get\n    response = self.http.get(path, all_headers, **query)\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1254, in get\n    return self.request(url, { 'method': "GET", 'headers': headers })\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/splunklib/binding.py", line 1316, in request\n    response = self.handler(url, message, **kwargs)\n  File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/lib/solnlib/splunk_rest_client.py", line 147, in request\n    **kwargs,\n  File "/opt/splunk/lib/python3.7/site-packages/requests/api.py", line 61, in request\n    return session.request(method=method, url=url, **kwargs)\n  File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 542, in request\n    resp = self.send(prep, **send_kwargs)\n  File "/opt/splunk/lib/python3.7/site-packages/requests/sessions.py", line 655, in send\n    r = adapter.send(request, **kwargs)\n  File "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 514, in send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-crowdstrike-falcon-event-streams/configs/conf-ta_crowdstrike_falcon_event_streams_settings/_reload (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))\n". See splunkd.log/python.log for more details.

 

 

inputs.conf

 

[splunktcp-ssl:8089]
disabled = 0
requireClientCert = false
sslVersions = *

[...]

[SSL]
serverCert = <path>
requireClientCert = true
allowSslRenegotiation = true
sslCommonNameToCheck = <others> 127.0.0.1,SplunkServerDefaultCert

 

server.conf

 

[sslConfig]
enableSplunkdSSL = true
sslVersions = tls1.2
serverCert = /opt/splunk/etc/auth/<path>.pem
sslRootCAPath = /opt/splunk/etc/auth/<path>.pem
requireClientCert = true
sslVerifyServerName = true
sslVerifyServerCert = true
sslCommonNameToCheck = <FQDNs>
cliVerifyServerName = false
sslPassword = <pw>

 

 

We're looking forward for your help!
Thank you!

0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:12 AM

Hey there,

Looks like the CrowdStrike TA is throwing an "Err 500" fit! Don't worry, I've got some ideas to fix it.

SSL Mismatch: Seems your inputs.conf and server.conf have different SSL settings. Make sure they both use the same "sslVersions" like tls1.2 and have valid certificate paths. Double-check those serverCert paths and sslCommonNameToCheck values too.

Security Check: If you're feeling brave, you can temporarily disable certificate verification (sslVerifyServerCert = false in server.conf), but only in a safe space! Remember, security first!

Other suspects:

  • Make sure Splunk can read those certificate files.
  • Check certificate validity and hostname with tools like openssl s_client.
  • Consider updating the CrowdStrike TA, newer versions might be smoother.

Pro tip: Back up your configs before tinkering, and test changes in a separate environment.

If these tips don't do the trick, hit up Splunk or CrowdStrike support. They're the pros!

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply

dsfyxcasdcertzu
Explorer
‎01-29-2024 12:26 AM

Thanks bot.

I think AI generated Responses should be marked as such.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...