STAXX and OpenTaxii server


#1

Hi,

we are setting up an OpenTaxii server (EclecticIQ). I get it up and running with “default” configuration of some services (collections, discovery services etc). I run it with WSGI gunicorn, no https, no authentication, and the configfiles from EclecticIQ github as references.

I can do discovery and check collections from cabby, both on the local server (the taxii server) and from remote from another client. I can see the services and collections.

But in STAXX when adding the site I get error:

“Task State: Failed
TAXII request failed (35), check log for details.”

Checking the logs (collect logs) in STAXX gives me below:

“https://***:8080/settings/sitespage/?id=10” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/*** Safari/537.36”
[2019-03-22 06:47:36,358] [ERROR] (35, 'Unknown SSL protocol error in connection to ***:9000 ')
[2019-03-22 06:47:36,360] [ERROR] STAXX: Failed to get_feeds for site http://***:9000/services/discovery-a, response: None
[2019-03-22 06:47:36,361] [ERROR] TAXII request failed (35), check log for details.
Traceback (most recent call last):
File “taxii_stix.py”, line 795, in get_feeds
File “taxii_stix.py”, line 524, in make_request
Exception: TAXII request failed (35), check log for details.
[2019-03-22 06:47:36,361] [ERROR] Discovery failed.
[2019-03-22 06:47:36,362] [ERROR] TAXII request failed (35), check log for details.
Traceback (most recent call last):
File “webapp/services/feed_service.py”, line 279, in _doDiscovery
File “webapp/services/feed_service.py”, line 294, in _do_taxii1x_discovery
File “taxii_stix.py”, line 795, in get_feeds
File “taxii_stix.py”, line 524, in make_request
Exception: TAXII request failed (35), check log for details.
[2019-03-22 06:47:36,546] [INFO ] *** - - [22/Mar/2019:06:47:36] "GET

Any help would be appreciated, why is not STAXX able to do discovery, but Cabby is?

thanks,
Mikael Fryksten


#2

Reply to self:

I think this has to do with STAXX opening TLS (client hello in packet capture). Any way to disable TLS? I only have http:// prefix, I would have guessed it should not attempt TLS?

Regards,
Mikael