Disable old ciphers TLS 1.0, TLS 1.1 on Wazuh 4.3.4

[Nicolas BLOT]

Hi gents,

I've installed a Wazuh 4.3.4 on Ubuntu 20.04 and it works flawlessly.

Only issue I have is that currently, The Greenbone is reporting that TLS 1.0 and TLS 1.1 are still available. Made some research to disable it but cannot figure out how to do it.

Any hints or guidance would be great on how to disable these old ciphers.

Thanks!

[Gabriel Diaz Lopez de la Llave]

Hello Nicolas,

Since Wazuh 4.3, we provide the packages wazuh-indexer (9200/tcp) and wazuh-dashboard (443/tcp), which are redistributions of opensearch tuned for Wazuh.

For wazuh-indexer, these settings can be modified as per this documentation:

https://opensearch.org/docs/latest/security-plugin/configuration/tls/#advanced-enabled-ciphers-and-protocols

For wazuh-dashboard, be aware that it does not support TLS v1.3 yet, there is already an issue asking to add this support:

https://github.com/opensearch-project/OpenSearch-Dashboards/issues/838

So if you set up wazuh-indexer to use TLS 1.3 it won't work with wazuh-dashboards.

If you plan to publish any Wazuh endpoint to an untrusted source, I would use a proxy to manage this.

Please let us know if this works for you!

Gabriel

PD. We will consider disabling these on default installation in future releases.

[Saravanan Maragathavel]

Hi Gabriel,

We deployed Wazuh 4.3.4 and also received the Vulnerability issue related to TLS V1.0 and 1.1 for Dashboard and Wazuh Indexer.

We followed the below link 

https://opensearch.org/docs/latest/security-plugin/configuration/tls/#advanced-enabled-ciphers-and-protocols

But our opensearch.yml file contains the below config values

plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"

still, we are getting the Vulnerability for TLS 1.0 and 1.1 can you help to disable this?

Saravanan M.

[Gabriel Diaz Lopez de la Llave]

Hello,

Which program is reporting the vulnerability? Do you access the dashboard through a proxy or load balancer? the dashboard disables TLS 1.0 by default, so it should not be available unless explicitly enabled. :-? 

thanks,

Gabriel

PD. please remove any identification if you send information to the mail list

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/az2WDXupUxg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/338befb2-b08f-416c-8d3f-3bb5759001b7n%40googlegroups.com.

[Saravanan Maragathavel]

Hi Gabriel,

We are using the Teneble VA tool to assess the environment and this error came reported on the dashboard instance. We don't have the load balancer and proxy in our environment. 

[Saravanan Maragathavel]

Hi Gabriel,

I think we were given the necessary inputs for your queries. Any update or suggestion on this? 

[Gabriel Diaz Lopez de la Llave]

Hello Saravanan,

I don't know how the tenable detection works. So I don't know if it is a false positive or not.

Can you check it with curl?

$ curl -v -k --tls-max 1.0 https://WAZUH-DASHBOARD-IP/
*   Trying WAZUH-DASHBOARD-IP:443...
* Connected to WAZUH-DASHBOARD-IP (WAZUH-DASHBOARD-IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:0A0000BF:SSL routines::no protocols available
* Closing connection 0
curl: (35) error:0A0000BF:SSL routines::no protocols available

That output means curl was unable to connect using TLS 1.0. Beware that if you use -tlsv1.0 option,  other version canstill  be negotiated.

If it does support it, can you share which version of Wazuh are you using and hod did you deploy it?

thanks,

Gabriel

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/85c0b032-9daa-4087-bdab-63a8e5cdd292n%40googlegroups.com.

[Saravanan Maragathavel]

Hi Gabriel,

Please find the following output of the curl

curl -v -k --tls-max 1.0 https://10.16.1.166
*   Trying 10.16.1.166:443...
* Connected to 10.16.1.166 (10.16.1.166) port 443 (#0)

* ALPN, offering h2
* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.0 (IN), TLS alert, protocol version (582):
* error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
* Closing connection 0
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.0 (IN), TLS alert, protocol version (582):
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

from the above output, the TLS version 1.0 supported

Current version of Wazuh 4.3.4

We installed in the assistant method

[Gabriel Diaz Lopez de la Llave]

Hello Saravanan,

From your message I can read curl is returning an error (return code 35) due to protocol error (tlsv1 alert protocol version). The connection using TLS 1.0 has failed. Can you verify that if you omit the -tls-max option curl connection works and you see a 20X http response code?

Gabriel

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b4383f3d-12e6-4b31-80f1-7b1b366da13fn%40googlegroups.com.

[Saravanan Maragathavel]

Hi Gabriel,

  Still, we are getting the below Vulnerability reported from Teneble.io for dashboard port 443 and Indexer Port 9300. 

Vulnerability 

--------------------

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) -- Port no:9300

TLS Version 1.1 Protocol Deprecated - Port no:443 & 9300

I have attached the output of curl with and without --tls-max 1.0

Regards,

Saravanan M.

[Gabriel Diaz Lopez de la Llave]

Hello

The configuration for dashboard to control which ciphers are enabled would be like:

server.ssl.supportedProtocols:
 - "TLSv1.2"
server.ssl.cipherSuites:
 - "!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
 - "!TLS_RSA_WITH_AES_128_CBC_SHA"
 - "!AES128-SHA"
 - "!ECDHE-RSA-AES128-SHA"
 - "TLS_AES_256_GCM_SHA384"
 - "TLS_CHACHA20_POLY1305_SHA256"
 - "TLS_AES_128_GCM_SHA256"
 - "ECDHE-RSA-AES128-GCM-SHA256"
 - "ECDHE-ECDSA-AES128-GCM-SHA256"
 - "ECDHE-RSA-AES256-GCM-SHA384"
 - "ECDHE-ECDSA-AES256-GCM-SHA384"
 - "DHE-RSA-AES128-GCM-SHA256"
 - "ECDHE-RSA-AES128-SHA256"
 - "DHE-RSA-AES128-SHA256"
 - "ECDHE-RSA-AES256-SHA384"
 - "DHE-RSA-AES256-SHA384"
 - "ECDHE-RSA-AES256-SHA256"
 - "DHE-RSA-AES256-SHA256"
 - "HIGH"

In the file /etc/wazuh-dashboard/opensearch_dashboards.yml 

To check if that worked, you can also use the commands: 

openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-SHA -connect localhost:443
openssl s_client -tls1_2 -cipher AES128-SHA-connect localhost:443

These commands should give an error like:

140603626386752:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40

Which would mean a handshake error has happened, and the connection is dropped. (See https://www.ibm.com/docs/en/developer-for-zos/9.1.1?topic=trace-ssl-alert-messages for a reference)

I think this might be a better way to check the nessus reported vulnerability.

Regards,

Gabriel

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cfeaf328-1700-42a9-b520-6e4710238a19n%40googlegroups.com.