topic Re: Splunk forwarder is not validating path length basic constraint against TLS server certificate in Splunk Enterprise

Splunk forwarder is not validating path length basic constraint against TLS server certificate

spilli — Tue, 05 Nov 2024 13:09:19 GMT

We are using Splunk forwarder v9.0.3. We would like to have Splunk forwarder to reject the TLS server certificate if path length basic constraint condition fails.

We generated the TLS server certificate with pathlen as 0 in "root CA" and chain is "root CA -> intermediate CA -> server certificate". As "root CA" pathlen is 0, no intermediate CA should be present. But, forwarder accepting the chain "root CA -> intermediate CA -> server certificate".

Is this a known limitation or does it require a configuration change to basic constraint validation on path length? Please advise.

Below is our outputs.conf contents.

[tcpout-server://host:port]
clientCert = /<..>/clientCert.pem
sslPassword = <..>
sslRootCAPath = /<..>/ca.pem
sslVerifyServerCert = true
sslVerifyServerName = true

Re: Splunk forwarder is not validating path length basic constraint against TLS server certificate

PickleRick — Tue, 05 Nov 2024 14:30:29 GMT

You want the client to accept server's certificate only if it's been issued directly by the RootCA, not by any subCAs? I don't think you can do that. I don't recall I've seen such thing anywhere. That's how PKI works and that's how it's supposed to work. You don't trust subCA, don't issue a CA cert for it.

Re: Splunk forwarder is not validating path length basic constraint against TLS server certificate

spilli — Tue, 05 Nov 2024 14:37:20 GMT

Hi @PickleRick ,

My requirement is on path length validation. I can try with having path length = 1. In this case, only 1 intermediate CA should be allowed. If a 2nd level of intermediate CA issues server certificate, it should be failed.

Re: Splunk forwarder is not validating path length basic constraint against TLS server certificate

spilli — Tue, 05 Nov 2024 15:16:32 GMT

Hi @PickleRick

Path length constraint validation is working fine when path length is minimum of 1 on Root CA and path length 0 from intermediate CA onwards. Thanks for your guidance.

Re: Splunk forwarder is not validating path length basic constraint against TLS server certificate

PickleRick — Tue, 05 Nov 2024 15:19:37 GMT

Yes, I haven't used it myself but indeed you need to have your CAs issued properly (with proper path length constraint. I thought you wanted an additional setting for that. As far as I remember subsequent subCAs can redefine the constraint from the "upper" CA by making it "stronger"