SSL read <unable to receive message>

[Sandeep Renjith]

 Hi Team,

I am getting the error “ ERROR: SSL read <unable to receive message>” when trying to register Windows 7 SP1 and Windows Server 2008 agents.

The affected hosts are in an isolated environment and don’t have the latest updates.

Below is a snippet from a traffic capture on one of the affected hosts.  

It looks like the TLS negotiation is successful and application data is being exchanged.

However, no further communication on port 1514 (remoted) is seen.

After looking through earlier posts here, we changed the below values in ossec.conf on the Wazuh Manager.

<ciphers>ALL</ciphers>

<ssl_auto_negotiate>yes</ssl_auto_negotiate>

This fixed the issues on the Windows Server 2008 hosts. However the Windows 7 hosts still face the same issue.

Any help on this would be greatly appreciated.

Thank you.

Sandeep 

[jeremias...@wazuh.com]

Hi Sandeep.
Thank you for using Wazuh!
We will need to check first how this request is being processed on the manager  (If you are using a Wazuh cluster, we will work on the worker node or on the manager where you are sending the registration request), to do this, can you:
- Enable DEBUG logs on Authd -> Open local_internal_options.conf and add this line authd.debug=2
- Restart Wazuh manager.

- Retry the registration once more.

- Collect and share with us ossec.conf so we can investigate if the manager is able to respond back.

On the other hand: 

- Wich Wazuh version have you installed on the agent and the manager sides?

- Have you attempted registering the agents with Enrollment? This is a functionality since Wazuh 4.0 that allows you to automatically register the agents on start-up. You only have to define the manager IP in the agent ossec.conf (as usual) and start the agent, Enrollment will request a new key if needed.

Best regards.