Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk forwarder is not validating path length basic constraint against TLS server certificate

spilli
Explorer
‎11-05-2024 05:09 AM

We are using Splunk forwarder v9.0.3. We would like to have Splunk forwarder to reject the TLS server certificate if path length basic constraint condition fails.

We generated the TLS server certificate with pathlen as 0 in "root CA" and chain is "root CA -> intermediate CA -> server certificate".  As "root CA" pathlen is 0, no intermediate CA should be present. But, forwarder accepting the chain "root CA -> intermediate CA -> server certificate".

Is this a known limitation or does it require a configuration change to basic constraint validation on path length? Please advise.

Below is our outputs.conf contents.

[tcpout-server://host:port]
clientCert = /<..>/clientCert.pem
sslPassword = <..>
sslRootCAPath = /<..>/ca.pem
sslVerifyServerCert = true
sslVerifyServerName = true

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-05-2024 06:30 AM

You want the client to accept server's certificate only if it's been issued directly by the RootCA, not by any subCAs? I don't think you can do that. I don't recall I've seen such thing anywhere. That's how PKI works and that's how it's supposed to work. You don't trust subCA, don't issue a CA cert for it.

View solution in original post

Reply
Solved! Jump to solution

spilli
Explorer
‎11-05-2024 07:16 AM

Hi @PickleRick 

Path length constraint validation is working fine when path length is minimum of 1 on Root CA and path length 0 from intermediate CA onwards. Thanks for your guidance.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-05-2024 07:19 AM

Yes, I haven't used it myself but indeed you need to have your CAs issued properly (with proper path length constraint. I thought you wanted an additional setting for that. As far as I remember subsequent subCAs can redefine the constraint from the "upper" CA by making it "stronger"

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-05-2024 06:30 AM

You want the client to accept server's certificate only if it's been issued directly by the RootCA, not by any subCAs? I don't think you can do that. I don't recall I've seen such thing anywhere. That's how PKI works and that's how it's supposed to work. You don't trust subCA, don't issue a CA cert for it.

Reply
Solved! Jump to solution

spilli
Explorer
‎11-05-2024 06:37 AM

Hi @PickleRick ,

My requirement is on path length validation. I can try with having path length = 1. In this case, only 1 intermediate CA should be allowed. If a 2nd level of intermediate CA issues server certificate, it should be failed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...