SSL ValidateCertificates Still Attempts to Validate When Set to False

[cgivre]

Hello all,

We've been doing some work with the Splunk SDK, and we've found that the new parameter that is supposed to disable SSL certificate validation seems to have no effect. The result is that on testing machines we get the following error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We have found a workaround, however, I wanted to flag this for your team as you might want to fix it.

[ashah-splunk]

Hi @cgivre Sorry for the delay in response.
As per the analysis we found that the sequence in which the code statements are executed is resulting in exception. Ref
The required sequence is to call setValidateCertificates before setSslSecurityProtocol method i.e:-

HttpService.setValidateCertificates(validateCertificates);
HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);

Request you to update the code as per the above sequence and let us know if you still face the issue.
Also thanks for bringing this to our notice we will work on updating this information in the docs to avoid such issues in future.

[jnturton]

@cgivre @ashah-splunk changing the call sequence as suggested above is only a workaround to this bug if an SSL protocol that is different to the one set previously is provided in the call to HttpService.setSslSecurityProtocol. Only in this case the creation of a new SSLSocketFactory will be triggered and the validateCertificates option applied.

[ashah-splunk]

@jnturton yes changing the sequence is a workaround. We have already made the necessary changes in the SDK on the similar lines that you described (Ref PR). The changes will be available in the next Release, till that we request you to apply the workaround. Will update you once we have a new release published.

[ashah-splunk]

@cgivre , @jnturton the necessary changes have been merged in the latest release of the Splunk Java SDK request you to test with the latest version and let us know if you are still facing the issue. sorry for the delay in the update.