- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Login Failure with SDK for PHP and TLS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Login Failure with SDK for PHP and TLS
I recently upgraded my Splunk installation to use TLS in order to comply with the government. Now none of my PhP scripts work. They all throw the same error which is:
exception 'Splunk_ConnectException' with message 'fopen(https://192.168.50.35:8089/services/auth/login): failed to open stream: operation failed' in C:\inetpub\wwwroot\splunk-sdk-php\Splunk\Http.php:119 Stack trace: #0 C:\inetpub\wwwroot\splunk-sdk-php\Splunk\Http.php(44): Splunk_Http->request('post', 'https://192.168...', Array, 'username=kmatte...') #1 C:\inetpub\wwwroot\splunk-sdk-php\Splunk\Context.php(93): Splunk_Http->post('https://192.168...', Array) #2 C:\inetpub\wwwroot\splunk-sdk-php\examples\XXXSearch.php(37): Splunk_Context->login() #3 {main}
After quite a bit of research I only came up with the suggestion to add the following to Http.php, which I did but to no avail. The last line is the one added.
CURLOPT_URL => $url,
CURLOPT_TIMEOUT => 60, // secs
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_HEADER => TRUE,
// disable SSL certificate validation
CURLOPT_SSL_VERIFYPEER => FALSE,
// this line added in hopes of successful TLS login
CURLOPT_SSL_VERIFYHOST => FALSE,
There was absolutely no change in the error. I still cannot log in. Before "upgrading" to TLS support my scripts worked perfectly. What do I need to do to get the PHP working once again?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on what version of PHP you're using, you may be using PHP sockets (fopen) or Curl. I think you're using fopen and not Curl as you're thinking.
I was using PHP 5.3.3 which used Curl, and upgraded to 5.6 for memory improvements which caused the Splunk library to switch over to sockets with fopen. I discovered that the SSL communication to the Splunk management port stopped working, because PHP 5.6 now requires SSL verification by default.
The Splunk Management port may be using the default self-signed SSL cert.
You can check by using: openssl s_client -connect 192.168.50.35:8089
Fixing it may require you to add a proper SSL cert, or modify the fopen stream context options. The fopen stream context options can be set in the Http.php file, right around here: https://github.com/splunk/splunk-sdk-php/blob/master/Splunk/Http.php#L99-L108
'ssl' => array(
'verify_peer' => false,
'allow_self_signed' => true,
'verify_peer_name' => false,
),
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The above solution works like a charm. Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say
openssl s_client -connect 192.168.50.35:8089
How do I use that? IN a PHP script, command line?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. You would open a terminal and type the above command. It will tell you if the SSL certificate is signed or unsigned.
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
