Installation

splunk.com downloads SSL certificate signing behaviour

Contributor

hi all -

it seems sometime in the last few weeks, splunk has moved to cloudfront to host their downloads.

unfortunately, the download link i get from the downloads page i'm using is getting redirected (i think) and generating SSL warnings because the cert (for *.cloudfront.net) does not match the destination (splunk.com). this raises a concern when we build our deployment scripts for new forwarders, as i've had to remove certificate checking to get my scripts to work.

any insight? maybe i'm just using the wrong wget / curl URL, and the HTTP redirect comes from an unexpected source?

 # wget -O splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true'
--2015-03-11 06:03:25--  https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version...
Resolving www.splunk.com. 54.192.159.154, 54.230.159.145, 54.230.158.182, ...
Connecting to www.splunk.com|54.192.159.154|:443. connected.
ERROR: no certificate subject alternative name matches
    requested host name “www.splunk.com”.
To connect to www.splunk.com insecurely, use ‘--no-check-certificate’.

curl -O "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true"
curl: (51) SSL: certificate subject name '*.cloudfront.net' does not match target host name 'www.splunk.com'
0 Karma

Contributor

building on the response from here, elsewhere in answers, we can hardcode the URLs via HTTPS, which are served by a proper Splunk SSL cert:

 http://download.splunk.com/releases/<version>/splunk/
 http://download.splunk.com/releases/<version>/universalforwarder/ 

so in the end, i use this bit of code in my build script to get both the hash and the download file securely:

cd `mktemp -d`
VERSION="6.2.1"
BUILD="splunk-6.2.1-245427-linux-2.6-amd64"
PTYPE="deb"
wget "https://download.splunk.com/releases/$VERSION/splunk/linux/$BUILD.$PTYPE" -O $BUILD.$PTYPE
wget "https://download.splunk.com/releases/$VERSION/splunk/linux/$BUILD.$PTYPE.sha512" -O $BUILD.$PTYPE.sha512
sha512sum -c $BUILD.$PTYPE.sha512

which outputs:

splunk-6.2.1-245427-linux-2.6-amd64.deb: OK

note that i had to upgrade my OS to get a fresher copy of openssl, although it might've been my outdated wget install too, as mentioned here.

Splunk Employee
Splunk Employee

The wget command that I got from the download page is an http connection, not https, and it works as expected.

green@fat ~ $  wget -O splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=6.2.2&product=universalforwarder&filename=splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm&wget=true'
--2015-03-11 10:17:22--  http://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=Linux&version=...
Resolving www.splunk.com. 54.192.140.45, 54.192.140.114, 54.192.140.61, ...
Connecting to www.splunk.com|54.192.140.45|:80. connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://download.splunk.com/products/splunk/releases/6.2.2/universalforwarder/linux/splunkforwarder-6... [following]
--2015-03-11 10:17:23--  http://download.splunk.com/products/splunk/releases/6.2.2/universalforwarder/linux/splunkforwarder-6...
Resolving download.splunk.com... 205.251.215.40, 205.251.215.22, 205.251.215.97, ...
Connecting to download.splunk.com|205.251.215.40|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13912657 (13M) [application/x-rpm]
Saving to: `splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm'

100%[=====================================================================================================================================>] 13,912,657  8.23M/s   in 1.6s    

2015-03-11 10:17:25 (8.23 MB/s) - `splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm' saved [13912657/13912657]`

If you are concerned about the validity of the package you can also wget the md5 or sha512 has by appending the appropriate extension to the end of the file name

Contributor

apologies @matt but given a recent re-think with a colleague, i'll have to unmark the answer.

we are in fact concerned with the validity of the package contents. downloading either the package or the hash, or both via HTTP starts to defeat the purpose.

i think the easy answer / request is to ask Splunk to force SSL-enabled downloads for both the packages and the downloads page that serves the hashes, and to sign them with a certificate that matches the download URL.

i think it's becoming a de facto standard these days, so shouldn't be an unreasonable one. i've posted a similar response below that uses SSL and checks the hash.

0 Karma

Contributor

yea i dont know why i had https in there.. i may have just done "copy link URL" instead of the wget command.

i don't like how you have to "download" the actual package just to see the wget URL.. so i tried to avoid clicking it i guess.

0 Karma

Contributor

PS - why can't splunk just host repos for debian and redhat package types? would make life much easier for sure.

0 Karma