Insecure TLS 1.2 ciphers

Nataliia

unread,

Mar 22, 2023, 10:54:40 AM3/22/23

to Wazuh mailing list

Hello,

Our vulnerability scanner found the Wazuh dashboard server has following vulnerability:

Negotiated with the following insecure cipher suites: TLS 1.2 ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_ARIA_128_GCM_SHA256
TLS_RSA_WITH_ARIA_256_GCM_SHA384

How can I disable this insecure TLS 1.2 ciphers and left only secure TLS 1.2 ciphers?

Obinna Uchubilo

unread,

Mar 22, 2023, 11:16:35 AM3/22/23

to Wazuh mailing list

Hello Nataliia,

For Wazuh-indexer/dashboard:
You’ll need to modify the /etc/wazuh-indexer/opensearch.yml
And add the following configuration block:

plugins.security.ssl.http.enabled_ciphers:
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
- "TLSv1.2"
plugins.security.ssl.transport.enabled_protocols:
- "TLSv1.2"

And then restart the service to apply the changes:
systemctl restart wazuh-indexer

Then, it is necessary to add the following line to your /etc/wazuh-dashboard/opensearch_dashboards.yml
server.ssl.supportedProtocols: ["TLSv1.2"]

And then restart the service to apply the changes:
systemctl restart wazuh-dashboard

For more information check https://opensearch.org/docs/latest/security-plugin/configuration/tls/#advanced-enabled-ciphers-and-protocols

Hope this information helps.

Regards

Nataliia

unread,

Mar 22, 2023, 11:48:34 AM3/22/23

to Wazuh mailing list

Hi Obinna,

In the /etc/wazuh-indexer/opensearch.yml already was added following strings:

plugins.security.ssl.http.enabled_ciphers:
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
- "TLSv1.2"

And to the /etc/wazuh-dashboard/opensearch_dashboards.yml I added following string earlier:

server.ssl.supportedProtocols: ["TLSv1.2"]

Then I added following string to /etc/wazuh-indexer/opensearch.yml:

plugins.security.ssl.transport.enabled_protocols:
- "TLSv1.2"

But this caused an error when I try to go through Wazuh Dashboard GUI:

Error: Error Pattern Handler (getPatternList) at _callee$ (https://10.19.67.2/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:683259) at tryCatch (https://10.19.67.2/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:94916) at Generator.invoke [as _invoke] (https://10.19.67.2/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:98867) at Generator.throw (https://10.19.67.2/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:96055) at pattern_handler_asyncGeneratorStep (https://10.19.67.2/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:680923) at _throw (https://10.19.67.2/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:681351)

середа, 22 березня 2023 р. о 17:16:35 UTC+2 Obinna Uchubilo пише:

Obinna Uchubilo

unread,

Mar 22, 2023, 12:04:40 PM3/22/23

to Wazuh mailing list

Hi,

Can you revert to the previous configuration?

Then try making the changes one step at a time, to confirm what exact change leads to the error.

Regards

Reply all

Reply to author

Forward