Using uberAgent With Self-Signed Certificates

uberAgent natively supports secure data transport for multiple backends, like Splunk, Elasticsearch, or Apache Kafka (via Confluent REST Proxy). For such communication via HTTPS uberAgent uses libcurl (a variant of curl), which is probably the highest-quality networking library available today.

Why Using Self-Signed Certificates

One might come to a point, during a PoC or evaluation phase, when using a certificate issued by an external or internal CA is not possible or a very complex process. Backends like Splunk or Elasticsearch offer the creation of self-signed certificates, which, by default, are not trusted by libcurl when presented to the client during the communication process. Therefore communication between uberAgent and the desired backend will fail. However, there are ways to change the configuration to make such a test scenario work.

Working With Self-Signed Certificates on macOS

uberAgent on macOS uses the operating systems implementation of libcurl. And libcurl itself utilizes LibreSSL as its library.
This can be easily verified by typing curl --version in the Terminal. The following output is an excerpt from a system running macOS 11.1 (Big Sur).

curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0

In order to establish a successful connection, the following tasks need to be accomplished:

  • Import the self-signed certificate into the macOS system keychain (aka, e.g. by double-clicking it
  • Set the trust level for the just imported certificate to Always Trust, by using the

Working With Self-Signed Certificates on Windows

uberAgent supports a variety of different versions of Microsoft Windows. Since not every operating system release comes with its own implementation of libcurl, uberAgent takes care of that. For example, uberAgent 6.1 ships version 7.73.0.

Libcurl for Windows relies on Schannel as its library. Since Schannel acts differently, compared to LibreSSL on macOS when dealing with self-signed certificates, the following steps are required:

  • Import the self-signed CA certificate into the Windows certificate store (Trusted Root Certification Authorities)
  • Depending on your requirement, add either TLSRevocationChecksDisabled or TLSRevocationChecksBestEffort (curl documentation) as an additional ConfigFlag to your uberAgent configuration

An example configuration stanza looks like this:

DebugMode = true
ConfigFlags = TLSRevocationChecksBestEffort

Leave a Reply

Your email address will not be published. Required fields are marked *