Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to ignore certs for Splunk in sink #26

Closed
merbla opened this issue Jul 12, 2016 · 8 comments
Closed

Add ability to ignore certs for Splunk in sink #26

merbla opened this issue Jul 12, 2016 · 8 comments

Comments

@merbla
Copy link
Contributor

merbla commented Jul 12, 2016

From #23

In a development environment it would be helpful to ignore sinks.

An implementation similar to the Seq sink may be appropriate.

@veccsolutions
Copy link

I too am in need of this. Is there any plan for it? Dotnet core doesn't seem to have a cert validation callback like the original dot net does.

This was referenced Oct 5, 2016
@merbla
Copy link
Contributor Author

merbla commented Oct 7, 2016

@veccsolutions a new release is out with the HttpMessageHandler exposed. I will update the wiki however it may be of use to your situation.

@veccsolutions
Copy link

Thanks! I'll be checking this out in the next couple of days.

@veccsolutions
Copy link

@merbla Thanks for exposing it. However, I can't specify whether to ignore it or not through the config files. I was able to write my own sink configuration method to do it using the one you have already created as a template.

My custom configuration method is identical to yours except for the following changes.

  1. In project.json I increased the netstandard framework to 1.6 (I didn't try earlier versions, but the ServerCertificateCustomValidationCallback property wasn't in the netstandard 1.1 framework)
  2. I added an ignoreSsl parameter, and the following between your null checks and newing up the eventcollectorsink object:
             if (ignoreSsl)
             {
                 //only ignore the certificates for correct host
                 var uri = new Uri(splunkHost);
                 var lowerHost = uri.Host?.ToLowerInvariant() ?? string.Empty;
    
     #if NET45
                 ServicePointManager.ServerCertificateValidationCallback +=
                     (object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors) =>
                         ServerCertificateCallback((sender as WebRequest)?.RequestUri?.Host, lowerHost, policyErrors);
     #else
                 HttpClientHandler client;
                 //allow custom httpmessagehandlers
                 if (messageHandler == null)
                 {
                     client = new HttpClientHandler();
                 }
                 else
                 {
                     client = messageHandler as HttpClientHandler;
                 }
    
                 //if the message handler is either HttpClientHandler or derived from it we can add to the callback
                 if (client != null)
                 {
                     client.ServerCertificateCustomValidationCallback +=
                         (HttpRequestMessage message, X509Certificate2 cert, X509Chain chain, SslPolicyErrors policyErrors) =>
                             ServerCertificateCallback(message?.RequestUri?.Host, lowerHost, policyErrors);
    
                     messageHandler = client;
                 }
     #endif
             }
    
  3. The ServerCertificateCallback method is:
        private static bool ServerCertificateCallback(string requestHost, string splunkHost, SslPolicyErrors policyErrors)
        {
            //quick check for no error
            if (policyErrors == SslPolicyErrors.None)
            {
                return true;
            }
    
            return requestHost.ToLowerInvariant() == splunkHost;
        }
    

@merbla
Copy link
Contributor Author

merbla commented Nov 25, 2016

@veccsolutions you are correct. The change was generally targeted at dotnet core and opening up the HttpMessageHandler for more than just the situation to ignore SSL certs.

We would have overload the config with an ignoreSSLValidation like param for the configuration from file to work. I am a little reluctant to implement however I know it can be a pain in development.

Generally what frameworks are you targeting?

@nblumhardt
Copy link
Contributor

Just to add to @merbla's remarks about being reluctant to add this - I think we'd expose ourselves to some criticism by dealing with SSL certificate policy in the sink. (Even in the case of self-signed certificates, it's usually better to add the certificate to the list trusted by the client machine rather than disable validation entirely.)

@veccsolutions
Copy link

That's fine. I'll continue with my separate config method. I just need to be able to do it without managing the certs on the local system and still using the config file for different deployment targets like local development vs QA vs Production etc.

@merbla merbla added this to the 2.4 milestone Jul 19, 2017
@merbla
Copy link
Contributor Author

merbla commented Aug 31, 2017

Closing this for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants