IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  SSL Error when connecting to any external resources

    Posted Thu June 25, 2020 11:31 AM
    I am getting an SSL Error when connecting to any external resources using resilient functions. I have downloaded the ssl certs into untrusted_certs.pem configured in app.config yet this has yielded no results for any resilient functions needing to connect to external links. Does anyone have any idea as to why this may be?

    2020-06-25 08:42:57,935 ERROR [requests_common] HTTPSConnectionPool(host='urlscan.io', port=443): Max retries exceeded with url: /api/v1/scan/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))

    2020-06-25 08:46:12,305 WARNING [connectionpool] Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])"))': /api/v1/indicators/url/https://www.myurl.com/l/AADYYIXxuq99V4ZUF0jiYeBlcOvAhIQdrww/general

    ------------------------------
    Matthew Figueroa
    ------------------------------


  • 2.  RE: SSL Error when connecting to any external resources

    Posted Fri June 26, 2020 05:11 AM
    Hi Matthew,

    Thanks for posting here. To add some context for others when reading, Matthew has an SSL proxy that breaks the SSL certificate chain replacing the chain with internal certificates from their proxy. This means when the function tries to validate SSL certificate of urlscan.io it returns as being invalid.

    It seems that this function would benefit from being able to bypass SSL verification or ideally Matthew could provide a chained pem file which it can trust when connecting to urlscan.io.

    ------------------------------
    BEN WILLIAMS
    ------------------------------

    Original Message


  • 3.  RE: SSL Error when connecting to any external resources

    Posted Fri June 26, 2020 08:35 AM
    Thank you Ben. The error seems to appear at Requests Common so I may be able to fix this issue by specifying the proxy server in the app.config file under [integrations] as shown in the RequestsCommon code.

    class RequestsCommon:
    """
    This class represents common functions around the use of the requests package for REST based APIs.
    It incorporates the app.config section "integrations" which can be used to define a common set of proxies
    for use by all functions using this library:
    [integrations]
    http_proxy=
    https_proxy=
    Similar properties may exist in the function's section which would override the [integrations] properties.
    """
    def __init__(self, opts=None, function_opts=None):
        # capture the properties for the integration as well as the global settings for all integrations for proxy urls
        self.integration_options = opts.get('integrations', None) if opts else None
        self.function_opts = function_opts

    def get_proxies(self):
        """ proxies can be specified globally for all integrations or specifically per function """
        proxies = None
        if self.integration_options and (self.integration_options.get("http_proxy") or self.integration_options.get("https_proxy")):
            proxies = {'http': self.integration_options.get("http_proxy"), 'https': self.integration_options.get("https_proxy")}

        if self.function_opts and (self.function_opts.get("http_proxy") or self.function_opts.get("https_proxy")):
            proxies = {'http': self.function_opts.get("http_proxy"), 'https': self.function_opts.get("https_proxy")}

        return proxies​


    ------------------------------
    Matthew Figueroa
    ------------------------------

    Original Message


  • 4.  RE: SSL Error when connecting to any external resources

    Posted Fri June 26, 2020 09:02 AM
    Hi Matthew,

    Have you set up a proxy to be used by Resilient Circuits? 

    https://www.ibm.com/support/pages/node/1160488

    ------------------------------
    BEN WILLIAMS
    ------------------------------

    Original Message


  • 5.  RE: SSL Error when connecting to any external resources

    Posted Fri June 26, 2020 09:30 AM
    Edited by Matthew Figueroa Fri June 26, 2020 11:57 AM
    Scratch that there's no proxy at all. I'm not sure as to why this is occurring then. I can call the api via curl commands and successfully retrieve information from urlscan.io api and alienvault api. This only fails when i use the resilient functions.

    Otx.Alienvault Error
    2020-06-26 11:44:53,351 WARNING [connectionpool] Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])"))': /api/v1/indicators/url/https://www.dropbox.com/l/AACo0aVNsX-o0TD11zO-/general

    Urlscan.io Error
    2020-06-26 11:42:45,813 ERROR [requests_common] HTTPSConnectionPool(host='urlscan.io', port=443): Max retries exceeded with url: /api/v1/scan/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))
    <task_failure[functionworker] (<task[functionworker] (<function function.__call__.<locals>.decorated.<locals>._call_the_task at 0x7f7c75d8f160>, <urlscanio[functions.urlscanio] (id=10, workflow=example_urlscanio, user=matthew.figueroa) 2020-06-26 15:42:44.928000> urlscanio_public=False, urlscanio_url='https://www.dropbox.com/l/AACo0aVNsX-o0TD11zO-', incident_id=2348)>, (<class 'resilient_circuits.action_message.FunctionException_'>, FunctionException_(IntegrationError('HTTPSConnectionPool(host=\'urlscan.io\', port=443): Max retries exceeded with url: /api/v1/scan/ (Caused by SSLError(SSLError("bad handshake: Error([(\'SSL routines\', \'ssl3_get_server_certificate\', \'certificate verify failed\')])")))')), <traceback object at 0x7f7ca3b329c0>) )>

    ------------------------------
    Matthew Figueroa
    ------------------------------

    Original Message


  • 6.  RE: SSL Error when connecting to any external resources

    Posted Fri June 26, 2020 12:10 PM
    I managed to fix the problem by upgrading to certifi 2020.6.20 from 2020.5!

    ------------------------------
    Matthew Figueroa
    ------------------------------

    Original Message