search cancel

Cannot download WSS logs via SyncAPI after October 28 2022

book

Article ID: 253450

calendar_today

Updated On:

Products

Standard Web Security

Issue/Introduction

SIEM API client downloading WSS HTTP logs via the SyncAPI endpoint.

WSS logs have been downloading and ingesting correctly into SIEM until October 28 2022 when no new logs are visible.

Downloading the same logs using curl working fine.

SIEM logs showing TLS handshake errors as shown below:

SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Cause

TLS 1.1 support has been removed from the Portal, impacting all requests into Portal and not just the WSS administration tool.

SIEM client was set to use TLS 1.1 which failed.

Resolution

Make sure that your SIEM client uses TLS 1.2 and greater for all requests into the SyncAPI endpoint.

Additional Information

Curl worked well because curl defaults to using TLS 1.3 in the setup. Curl parameters exist to force a TLS 1.1 session where the issue was seen.

$ curl "https://portal.threatpulse.com/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:xxxxxxx" -H "X-APIPassword:yyyyy" -o /dev/null --tlsv1.1 --tls-max 1.1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure