Using uberAgent With Self-Signed Certificates
uberAgent natively supports secure data transport for multiple backends, like Splunk, Elasticsearch, or Apache Kafka (via Confluent REST Proxy). For such communication via HTTPS uberAgent uses libcurl (a variant of curl), which is probably the highest-quality networking library available today.
One might come to a point, during a PoC or evaluation phase, when using a certificate issued by an external or internal CA is not possible or a very complex process. Backends like Splunk or Elasticsearch offer the creation of self-signed certificates, which, by default, are not trusted by libcurl when presented to the client during the communication process. Therefore communication between uberAgent and the desired backend will fail. However, there are ways to change the configuration to make such a test scenario work.
uberAgent on macOS uses the operating systems implementation of libcurl. And libcurl itself utilizes LibreSSL as its library.
This can be easily verified by typing
curl --version in the Terminal. The following output is an excerpt from a system running macOS 11.1 (Big Sur).
curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
In order to establish a successful connection, the following tasks need to be accomplished:
- Import the self-signed certificate into the macOS system keychain (aka Keychain.app), e.g. by double-clicking it
- Set the trust level for the just imported certificate to Always Trust, by using the Keychain.app
uberAgent supports a variety of different versions of Microsoft Windows. Since not every operating system release comes with its own implementation of libcurl, uberAgent takes care of that.
Libcurl for Windows relies on Schannel as its library. Since Schannel acts differently, compared to LibreSSL on macOS when dealing with self-signed certificates, the following steps are required:
- Import the self-signed CA certificate into the Windows certificate store (Trusted Root Certification Authorities)
- Depending on your requirement, add either TLSRevocationChecksDisabled or TLSRevocationChecksBestEffort (curl documentation) as an additional
ConfigFlagto your uberAgent configuration
An example configuration stanza looks like this:
DebugMode = true
ConfigFlags = TLSRevocationChecksBestEffort