How to disable TLs 1.0 and 1.1
207 views
Skip to first unread message
ismailctest C
Sep 20, 2023, 2:04:35 AM9/20/23
to Wazuh | Mailing List
Hi Team,
Please let us know how to disable TLs 1.0 and 1.1 and enable only 1.2 and above.
Wazuh distributed installation with elasticserach stack.
App version: 3.13.1
App revision: 0884
Install date: Aug 16, 2020 7:15:24 PM
Kibana Version: Welcome to the Wazuh app for Kibana 7.8.1
OS:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
Harshal Paliwal
Sep 20, 2023, 2:51:54 AM9/20/23
to Wazuh | Mailing List
Hi Team,
Thanks for using the Wazuh.
Regarding Elasticsearch, it is compatible with TLS until the 1.3 version, you can check this compatibility matrix: Supported SSL/TLS versions by JDK version | Elasticsearch Guide [8.10] | Elastic
I’ve checked the configurations regarding TLS, and I saw in the JAVA the configurations are these:/usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.securityjdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
In Elasticsearch the configurations are these:
Additionally, you can set up OpenDistro for Elasticsearch to use only certain versions of TLS:
TLS Certificates - Open Distro for Elasticsearch Documentationelasticsearch.ymlopendistro_security.ssl.http.enabled_protocols:
- "TLSv1.1"
- "TLSv1.2"
In Kibana, you can specify also the configurations for TLS:
configure Kibana | Kibana Guide [7.9] | Elastickibana.ymlserver.ssl.supportedProtocols: ["TLSv1.2", "TLSv1.3"]
Regarding Wazuh Manager, it uses TLS when you configure registration with certificates:
auth - Local configuration (ossec.conf) · Wazuh documentation , and by default, TLS v1.2 is used.
And also in the API communication:
/var/ossec/api/configuration/api.yaml https:
enabled: yes
key: "api/configuration/ssl/server.key"
cert: "api/configuration/ssl/server.crt"
use_ca: False
ca: "api/configuration/ssl/ca.crt"
ssl_cipher: "TLSv1.2"
In conclusion, it is not needed to have TLS v1 and v1.1 for Elasticsearch and/or Wazuh Manager. You can manage to configure it to use the versions you need.
I hope this information could be helpful.
I look forward to your feedback.Kind Regards
I’ve checked the configurations regarding TLS, and I saw in the JAVA the configurations are these:/usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.securityjdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
In Elasticsearch the configurations are these:
Additionally, you can set up OpenDistro for Elasticsearch to use only certain versions of TLS:
TLS Certificates - Open Distro for Elasticsearch Documentationelasticsearch.ymlopendistro_security.ssl.http.enabled_protocols:
- "TLSv1.1"
- "TLSv1.2"
In Kibana, you can specify also the configurations for TLS:
configure Kibana | Kibana Guide [7.9] | Elastickibana.ymlserver.ssl.supportedProtocols: ["TLSv1.2", "TLSv1.3"]
Regarding Wazuh Manager, it uses TLS when you configure registration with certificates:
auth - Local configuration (ossec.conf) · Wazuh documentation , and by default, TLS v1.2 is used.
And also in the API communication:
/var/ossec/api/configuration/api.yaml https:
enabled: yes
key: "api/configuration/ssl/server.key"
cert: "api/configuration/ssl/server.crt"
use_ca: False
ca: "api/configuration/ssl/ca.crt"
ssl_cipher: "TLSv1.2"
In conclusion, it is not needed to have TLS v1 and v1.1 for Elasticsearch and/or Wazuh Manager. You can manage to configure it to use the versions you need.
I hope this information could be helpful.
I look forward to your feedback.Kind Regards
Reply all
Reply to author
Forward
0 new messages