Enable only tls v1.2 and strong ciphers
2,151 views
Skip to first unread message
martin falcon
Dec 11, 2017, 3:31:50 PM12/11/17
to Wazuh mailing list
Hello Wazuh folks. This is a fantastic OSSEC integration. We use this specifically for PCI. Unfortunately our recent security scans have resulted in a few vulnerabilities for
Wazuh-api port 55000.
With that we are needing to disable TLS 1.0 and TLS 1.1 (use only TLS 1.2). Also, there are different weak ciphers enabled.
As I can't improve the security as I did with Wazuh GUI port 443 using the nginx configuration, I was wondering if you can help us to follow the same config that we have for Kibana using nginx:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
I saw a thread https://groups.google.com/forum/#!msg/wazuh/Iyt7LouoUiE/ICujslaEAAAJ with similar request but I didn't see any results. Because this is used for our PCI environment is critical to solve this issue asap, Disable tlsv1.1 is a requirement in PCI and the due date is 30 June 2018.
With that we are needing to disable TLS 1.0 and TLS 1.1 (use only TLS 1.2). Also, there are different weak ciphers enabled.
As I can't improve the security as I did with Wazuh GUI port 443 using the nginx configuration, I was wondering if you can help us to follow the same config that we have for Kibana using nginx:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
I saw a thread https://groups.google.com/forum/#!msg/wazuh/Iyt7LouoUiE/ICujslaEAAAJ with similar request but I didn't see any results. Because this is used for our PCI environment is critical to solve this issue asap, Disable tlsv1.1 is a requirement in PCI and the due date is 30 June 2018.
Thanks in advance and thanks for this awesome tool.
Marta Gómez
Dec 11, 2017, 3:38:32 PM12/11/17
to Wazuh mailing list
Hello Martin,
The incoming release Wazuh 3.0 includes configurable SSL options in the API configuration. You can see the new configuration file in our github repository:
https://github.com/wazuh/wazuh-api/blob/3.0/configuration/config.js#L58
These new options will allow the user to disable TLSv1.1, TLSv1 and SSLv3. The ciphersuit will be also configurable.
Best regards,
Marta
The incoming release Wazuh 3.0 includes configurable SSL options in the API configuration. You can see the new configuration file in our github repository:
https://github.com/wazuh/wazuh-api/blob/3.0/configuration/config.js#L58
These new options will allow the user to disable TLSv1.1, TLSv1 and SSLv3. The ciphersuit will be also configurable.
Best regards,
Marta
martin falcon
Dec 11, 2017, 4:49:08 PM12/11/17
to Wazuh mailing list
This is great Marta. After, update the config.js with the following lines
I got this answer from the GUI
Thanks!
// Shared library path
config.ld_library_path = config.ossec_path + "/framework/lib"
/************************* SSL OPTIONS ****************************************/
// SSL protocol
// SSL protocol to use. All available secure protocols available at:
// https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
config.secureProtocol = "TLSv1_2_method";
try {
// Disable the use of SSLv3, TLSv1.1 and TLSv1.0. All available secureOptions at:
// https://nodejs.org/api/crypto.html#crypto_openssl_options
const crypto = require('crypto');
config.secureOptions = crypto.constants.SSL_OP_NO_SSLv3 |
crypto.constants.SSL_OP_NO_TLSv1 |
crypto.constants.SSL_OP_NO_TLSv1_1;
} catch (err) {
console.log("Could not configure NodeJS to avoid unsecure SSL/TLS protocols: " + err)
}
// SSL ciphersuit
// When choosing a cipher, use the server's preferences instead of the client
// preferences. When not set, the SSL server will always follow the clients
// preferences. More info at:
// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
config.honorCipherOrder = true;
// Modify default ciphersuit. More info:
// https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite
// config.ciphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
config.ciphers = "";
module.exports = config;
I got this answer from the GUI
"Settings: Unexpected error. Wazuh-Python Internal Error: file is encrypted or is not a database"
Could you help me to fix the issue?Thanks!
Message has been deleted
martin falcon
Dec 11, 2017, 5:08:13 PM12/11/17
to Wazuh mailing list
NVM, It was an issue with my own config, I updated my config with your
proposed lines and now looks that works but tlsv1.0 v1.1 was not
disabled. what I missing here?
nmap --script ssl-enum-ciphers -p 55000 server
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-11 14:01 PST
Nmap scan report for server (1xxxxxx)
Host is up (0.29s latency).
PORT STATE SERVICE
55000/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 30.11 secondsMarta Gómez
Dec 11, 2017, 5:16:24 PM12/11/17
to Wazuh mailing list
Hello Martin,
The configuration I showed you only works in Wazuh 3.0.0. It's necessary to update both the manager and the API to make it work. Wazuh 3.0.0 will be released soon.
Best regards,
Marta
The configuration I showed you only works in Wazuh 3.0.0. It's necessary to update both the manager and the API to make it work. Wazuh 3.0.0 will be released soon.
Best regards,
Marta
martin falcon
Dec 11, 2017, 5:25:29 PM12/11/17
to Wazuh mailing list
Sounds good, I will be waiting for that. Thanks!
Marta Gómez
Dec 13, 2017, 4:26:07 AM12/13/17
to Wazuh mailing list
Hello Martin,
Wazuh 3 has just been released. Please upgrade your installation and try the new API configuration.
Best regards,
Marta
Wazuh 3 has just been released. Please upgrade your installation and try the new API configuration.
Best regards,
Marta
martin falcon
Dec 18, 2017, 3:59:22 PM12/18/17
to Wazuh mailing list
Excellent, thanks a lot!
martin falcon
Dec 18, 2017, 6:04:55 PM12/18/17
to Wazuh mailing list
Marta, after update to V3 , I can't add the api configuration in the GUI. It return a code error 500 and the api.log shows these lines:
WazuhAPI 2017-12-18 22:59:54: [::ffff:1xxxxxx] GET /version? - 200 - error: '0'.
WazuhAPI 2017-12-18 22:59:54: [::ffff:1xxxxxx] GET /agents/000? - 200 - error: '1000'.
Could you help me to solve the issue?
WazuhAPI 2017-12-18 22:59:54: [::ffff:1xxxxxx] GET /version? - 200 - error: '0'.
WazuhAPI 2017-12-18 22:59:54: [::ffff:1xxxxxx] GET /agents/000? - 200 - error: '1000'.
Could you help me to solve the issue?
martin falcon
Dec 18, 2017, 6:48:43 PM12/18/17
to Wazuh mailing list
more info about the error
"message": "Wazuh-Python Internal Error: uncaught exception: Error 2001 - Incompatible version of SQLite: 3.6.20\nTry to export the internal SQLite library:\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/api/framework/lib"
"message": "Wazuh-Python Internal Error: uncaught exception: Error 2001 - Incompatible version of SQLite: 3.6.20\nTry to export the internal SQLite library:\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/api/framework/lib"
Message has been deleted
martin falcon
Dec 18, 2017, 7:22:19 PM12/18/17
to Wazuh mailing list
The framework directory doesn't exist, I can confirm that after install wazuh-api v3 ,it delete the folder /var/ossec/api/framework
ls /var/ossec/api/framework
ls: cannot access /var/ossec/api/framework: No such file or directory
ls /var/ossec/api/framework
ls: cannot access /var/ossec/api/framework: No such file or directory
Marta Gómez
Dec 19, 2017, 12:08:13 PM12/19/17
to Wazuh mailing list
Hello Martin,
Are you using CentOS 6? This error appears when the default sqlite3 version in your system is old. To fix that, change the following line of your config.js file:
config.ld_library_path = config.ossec_path + "api/framework/lib"
to
config.ld_library_path = config.ossec_path + "/framework/lib"
Since the framework is no longer in /var/ossec/api directory.
Best regards,
Marta
Are you using CentOS 6? This error appears when the default sqlite3 version in your system is old. To fix that, change the following line of your config.js file:
config.ld_library_path = config.ossec_path + "api/framework/lib"
to
config.ld_library_path = config.ossec_path + "/framework/lib"
Since the framework is no longer in /var/ossec/api directory.
Best regards,
Marta
Message has been deleted
martin falcon
Dec 19, 2017, 2:29:39 PM12/19/17
to Wazuh mailing list
Yes, I'm using Centos 6. All works perfect, and now we are using strong ciphers and only tls v1.2. Thanks a lot for your help. I hope that this helps other people.
Marta Gómez
Dec 20, 2017, 4:55:22 AM12/20/17
to Wazuh mailing list
Hello Martin,
I'm glad your problem is now solved! Don't hesitate to write again if you have more problems.
Best regards,
Marta
I'm glad your problem is now solved! Don't hesitate to write again if you have more problems.
Best regards,
Marta
Reply all
Reply to author
Forward
0 new messages