The Hive - MISP SSL configuration: General SSLEngine problem

[DanteDevil89]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.04.4 LTS server x86_64
TheHive version / git hash	3.0.8
Package Type	DEB
Browser type & version	Firefox

Problem Description

Both MISP and The Hive work but we get "General SSLEngine problem" when we try to connect them to allow The Hive to get events from MISP.

We tried to set SSL using a CA:

• requested a certificate to the CA (file .crt);
• set this certificate into MISP configuration file;
• generated .jks file and set it into The Hive configuration file ("application.conf").
  After restarting The Hive, it tryes to get the Events with the following error: java.net.ConnectException: General SSLEngine problem.

Steps to Reproduce

1. Install and configure TheHive and Cortex
2. Install MISP server
3. Configure MISP server
4. Connect TheHive with MISP

Complementary information

[LOG ERROR]

2018-04-13 09:02:55,428 [INFO] from connectors.misp.MispSynchro in application-akka.actor.default-dispatcher-4 - Misp synchronization failed
java.net.ConnectException: General SSLEngine problem
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)
	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:122)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1443)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1435)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1409)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1114)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1093)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1122)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:430)
	at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1302)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
	at play.shaded.ahc.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
	at play.shaded.ahc.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at play.shaded.ahc.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
	at play.shaded.ahc.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
	at play.shaded.ahc.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
	... 19 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1232)
	... 20 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1061)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1000)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
	... 28 common frames omitted

[CONFIGURATION FILE]
/etc/thehive/application.conf

play.modules.enabled += connectors.misp.MispConnector
misp {
  "MISP-SERVER-ID" {
    url = "http://My misp server"
    key = "My user key"
    tags = ["misp"]
    caseTemplate = "test"
    max-attributes = 1000
    max-size = 1 MiB
    max-age = 7 days
    ws.ssl.trustManager {
         stores = [{
             type: "JKS" // JKS or PEM
             path: "<my path .jks file>"
             password: "<my password .jks file>"
             }]
         }
    }
  interval = 1h 
}

[To-om]

The error message of the initial error is "No subject alternative names present".
Can you check that the FQDN in your configured MISP url matches the name in your certificate ?
If in your configuration you have:

misp {
  "MISP-SERVER-ID" {
    url = "http://mymisp.my.domain"

The CN of your certificate (or the subject-alternative-name) must contain "mymisp.my.domain".

[DanteDevil89]

Thanks for your answer.
We made this change and now TheHive attempts to add a trusted cert. After restarting, the service status is

hiveuser@server01:~$ sudo service thehive status
● thehive.service - TheHive
   Loaded: loaded (/usr/lib/systemd/system/thehive.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-04-13 12:53:54 CEST; 50s ago
     Docs: https://thehive-project.org
 Main PID: 20608 (java)
    Tasks: 48
   Memory: 639.0M
      CPU: 19.019s
   CGroup: /system.slice/thehive.service
           └─20608 java -Duser.dir=/opt/thehive -Dconfig.file=/etc/thehive/application.conf -Dlogger.file=/etc/thehive/logback.xml -Dpidfile.path=/dev/null -cp /opt/thehive/lib/../conf/:/opt/thehive/lib/o

Apr 13 12:54:01 server01 thehive[20608]:   Valid from Fri Dec 24 18:50:51 CET 1999 until Tue Jul 24 16:15:12 CEST 2029
Apr 13 12:54:01 server01 thehive[20608]: adding as trusted cert:
Apr 13 12:54:01 server01 thehive[20608]:   Subject: CN=Staat der Nederlanden Root CA - G3, O=Staat der Nederlanden, C=NL
Apr 13 12:54:01 server01 thehive[20608]:   Issuer:  CN=Staat der Nederlanden Root CA - G3, O=Staat der Nederlanden, C=NL
Apr 13 12:54:01 server01 thehive[20608]:   Algorithm: RSA; Serial number: 0x67j465
Apr 13 12:54:01 server01 thehive[20608]:   Valid from Thu Nov 14 12:28:42 CET 2013 until Tue Nov 14 00:00:00 CET 2028
Apr 13 12:54:01 server01 thehive[20608]: adding as trusted cert:
Apr 13 12:54:01 server01 thehive[20608]:   Subject: CN=TeliaSonera Root CA v1, O=TeliaSonera
Apr 13 12:54:01 server01 thehive[20608]:   Issuer:  CN=TeliaSonera Root CA v1, O=TeliaSonera
Apr 13 12:54:01 server01 thehive[20608]:   Algorithm: RSA; Serial number: 0xh8gjh76u4h349ehuegfs9f0834074h477

But after few minutes:

hiveuser@server01:~$ sudo service thehive status
● thehive.service - TheHive
   Loaded: loaded (/usr/lib/systemd/system/thehive.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-04-13 12:53:54 CEST; 3min 28s ago
     Docs: https://thehive-project.org
 Main PID: 20608 (java)
    Tasks: 56
   Memory: 720.3M
      CPU: 21.326s
   CGroup: /system.slice/thehive.service
           └─20608 java -Duser.dir=/opt/thehive -Dconfig.file=/etc/thehive/application.conf -Dlogger.file=/etc/thehive/logback.xml -Dpidfile.path=/dev/null -cp /opt/thehive/lib/../conf/:/opt/thehive/lib/o

Apr 13 12:57:01 server01 thehive[20608]:         at com.typesafe.sslconfig.ssl.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.scala:90)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
Apr 13 12:57:01 server01 thehive[20608]:         at java.security.AccessController.doPrivileged(Native Method)
Apr 13 12:57:01 server01 thehive[20608]:         at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
Apr 13 12:57:01 server01 thehive[20608]:         at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)

In the log file there is the error "No trust manager was able to validate this certificate chain: # of exceptions = 1"

[LOG FILE]
/var/log/thehive/application.log

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
	... 19 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
	at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1232)
	... 20 common frames omitted
Caused by: com.typesafe.sslconfig.ssl.CompositeCertificateException: No trust manager was able to validate this certificate chain: # of exceptions = 1
	at com.typesafe.sslconfig.ssl.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.scala:90)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
	... 28 common frames omitted