Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TheHive-MISP Integration SSL #726

Closed
nut1lns opened this issue Sep 19, 2018 · 6 comments
Closed

TheHive-MISP Integration SSL #726

nut1lns opened this issue Sep 19, 2018 · 6 comments
Labels
invalid

Comments

@nut1lns
Copy link

nut1lns commented Sep 19, 2018
edited
Loading

Cannot connect Thehive with MISP

TheHive- Linux debian 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u2 (2018-08-13) x86_64 GNU/Linux

MISP- Linux ubuntu 4.15.0-34-generic #37~16.04.1-Ubuntu SMP Tue Aug 28 10:44:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

thehive status
not misp

/etc/thehive/application.conf file

# MISP
# TheHive can connect to one or multiple MISP instances. Give each  MISP
# instance a name and specify the associated Authkey that must  be  used
# to poll events, the case template that should be used by default  when
# importing events as well as the tags that must be added to cases  upon
# import.

# Prior to configuring the integration with a MISP  instance,  you  must
# enable the MISP connector. This will allow you  to  import  events  to
# and/or export cases to the MISP instance(s).
#play.modules.enabled += connectors.misp.MispConnector

## Enable the MISP module (import and export)
play.modules.enabled += connectors.misp.MispConnector

**misp {
  "MISP-SERVER-ID" {
    # URL of the MISP instance.
    url = "https://192.168.11.161"

    # Authentication key.
       key = "b4WnAZrCQhKu2veHaNsik48jvUZPLQO3Q7fP0Q3P"

    # Name of the case template in TheHive that shall be used to import
    # MISP events as cases by default.
    caseTemplate = "MISP Event One"

    # Tags to add to each observable imported from an event available on
    # this instance.
    tags = ["misp"]

    # Truststore to use to validate the X.509 certificate  of  the  MISP
    # instance if the default truststore is not sufficient.
   #  ws.ssl.trustManager.stores = [
   #  {
    #  type: "JKS"
    #  path: "/opt/thehive/conf/KeyStore.jks"
    #  }
  #  ]

# HTTP client configuration, more details in section 8
    # ws {
    #   proxy {}
    #   ssl {}
    # }

    # filters:
    max-attributes = 1000
    max-size = 1 MiB
    max-age = 7 days
    exclusion {
     organisation = ["bad organisation", "other orga"]
     tags = ["tag1", "tag2"]
    }

    # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
    # Default is ImportAndExport
    purpose = ImportAndExport
  }

  # Interval between consecutive MISP event  imports  in  hours  (h)  or
  # minutes (m).
  interval = 1h
}**

TheHive log info :

2018-09-20 07:52:58,045 [INFO] from connectors.misp.MispSynchro in application-akka.actor.default-dispatcher-7 - Misp synchronization failed
java.net.ConnectException: General SSLEngine problem
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)
	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:122)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1443)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1435)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1409)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1114)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1093)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1122)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:430)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1302)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at play.shaded.ahc.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
	at play.shaded.ahc.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
	... 19 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1232)
	... 20 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
	... 28 common frames omitted
2018-09-20 07:52:58,491 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2018-09-20 07:52:58,505 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTPS on /0:0:0:0:0:0:0:0:9444

In thehive applicattion.conf

> ## Enable the MISP module (import and export)
> play.modules.enabled += connectors.misp.MispConnector
> 
> misp {
>   "MISP-SERVER-ID" {
>     # URL of the MISP instance.
>     url = "https://192.168.11.161"
> 
>     # Authentication key.
>        key = "b4WnAZrCQhKu2veHaNsik48jvUZPLQO3Q7fP0Q3P"
> 
>     # Name of the case template in TheHive that shall be used to import
>     # MISP events as cases by default.
>     caseTemplate = "MISP Event One"
> 
>     # Tags to add to each observable imported from an event available on
>     # this instance.
>     tags = ["misp"]
> 
>     # Truststore to use to validate the X.509 certificate  of  the  MISP
>     # instance if the default truststore is not sufficient.
>    #  ws.ssl.trustManager.stores = [
>    #  {
>     #  type: "JKS"
>     #  path: "/opt/thehive/conf/KeyStore.jks"
>     #  }
>   #  ]
> 
> # HTTP client configuration, more details in section 8
>     # ws {
>     #   proxy {}
>     #   ssl {}
>     # }
> 
>     # filters:
>     max-attributes = 1000
>     max-size = 1 MiB
>     max-age = 7 days
>     exclusion {
>      organisation = ["bad organisation", "other orga"]
>      tags = ["tag1", "tag2"]
>     }
> 
>     # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
>     # Default is ImportAndExport
>     purpose = ImportAndExport
>   }
> 
>   # Interval between consecutive MISP event  imports  in  hours  (h)  or
>   # minutes (m).
>   interval = 1h
> }
>

I already check my MISP certificates. Can you help me please?Is this a problem from misp or thehive?
@nadouani
Copy link
Contributor

Hello, can you please check the issue's description, it's a bit malformed and unreadable.

Thanks

@nut1lns
Copy link
Author

nut1lns commented Sep 21, 2018

Done

@chrissommer
Copy link

Hi nut1lns,

we had the same problem with MISP and Hive - we solved it by adding Subject Alternate Names to the MISP Certificate. (According to your error message)
I can't find the link to the solution right now (was a long time ago), but here is how our Cert Request looks like - with the SANs in the Cert everything should work fine.

[ req ]
default_bits = 4096
default_keyfile = YOUR_KEYFILE.key
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = YOUR COUNTRY CODE
stateOrProvinceName = YOUR COUNTRY
L = YOUR CITY
O = YOUR COMPANY
0.OU= YOUR OU
commonName = YOUR COMMON NAME
emailAddress = YOUR EMAIL

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = YOUR DNS NAMES
DNS.2 = YOUR DNS NAMES
DNS.3 = YOUR DNS NAMES
IP.1 = YOUR IP ADRESS

BR
Chris

@nut1lns
Copy link
Author

nut1lns commented Sep 27, 2018

Tnks chrissommer! that worked!

But now I have another error

`2018-09-27 09:26:18,193 [INFO] from connectors.misp.MispSynchro in application-akka.actor.default-dispatcher-5 - Misp synchronization failed
java.net.ConnectException: General SSLEngine problem
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)
	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:122)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1443)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1435)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1409)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1114)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1093)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1122)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:430)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1302)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at play.shaded.ahc.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
	at play.shaded.ahc.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
	... 19 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1232)
	... 20 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
	... 28 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 34 common frames omitted`

"unable to find valid certification path to requested target" Is this a Java problem ? this path is configurable in thehives's application.conf ?

@chrissommer
Copy link

I don't know that error, but does your Box trust the root and int CA, which signed the cert for MISP?

Also the first hit on Google delivers some pretty good results, you could try:
https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find

BR
Chris

@nadouani
Copy link
Contributor

Closing this issue since it's not related to the product but the SSL certificate used here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nadouani @chrissommer @nut1lns