Remove AES128 & AES256 Encryption

[Vincent Teo]

Hi Wazuh Team , 

I still new in open source application , I seek for assistant that who can assist me on this .

Recently our pentesting team scans have resulted in a few weak tls for Wazuh.  With that we are needing to disable encryption type AES with 128 bits & 256 bits . Below screenshot that require me to disable the weak cipher .

Elastic Search 

Kibana

Wazuh

Regards,

Vincent 

[Victor M Fernandez-Castro]

Hi Vincent,

Sorry for such a late reply. I'm not an expert in SSL security but I will try to guide you with the configuration.

Wazuh

The manager uses TLS for agent enrollment (port 1515 opened by wazuh-authd).

Configuration reference: Wazuh | auth | ciphers

Based on OpenSSL: OpenSSL | Ciphers

File: /var/ossec/etc/ossec.conf

We need to set up the <auth> configuration at ossec.conf. We define the cipher suites separated by a colon (:). A leading exclamation (!) means that the suite is deleted. 

So, we can either get the default value and negate those suites we don't want:

<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA</ciphers>

Or build a value with those cipher suites we do want:

<ciphers>ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256</ciphers>

Kibana

On this side, Kibana is also based on OpenSSL, thus we can set up the cipher suites in a similar way, with the Kibana syntax.

Configuration reference: Elastic | Configure Kibana

File: /etc/kibana/kibana.yml

server.ssl.cipherSuites:
  - "ECDHE-RSA-AES256-SHA384"
  - "ECDHE-RSA-AES128-SHA256"
  - "AES256-GCM-SHA384"
  - "AES128-GCM-SHA256"
  - "TLS_AES_256_GCM_SHA384"
  - "TLS_AES_128_GCM_SHA256"

Elasticsearch

Finally, Elasticsearch needs settings for both the HTTP layer (for the REST API) and the transport layer (for communication between cluster nodes). I'm assuming you're using OpenDistro for Elasticsearch.

Configuration reference: Open Distro | Security | TLS

File: /etc/elasticsearch/elasticsearch.yml

opendistro_security.ssl.http.enabled_protocols:
  - "TLSv1.2"
  - "TLSv1.3"

opendistro_security.ssl.transport.enabled_protocols:
  - "TLSv1.2"
  - "TLSv1.3"

opendistro_security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_AES_256_GCM_SHA384"
  - "TLS_AES_128_GCM_SHA256"

opendistro_security.ssl.transport.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_AES_256_GCM_SHA384"
  - "TLS_AES_128_GCM_SHA256"

The configuration above is accepted by the services and it seems to work. However, it may need some testing.

Hope this helps you.

Best regards.

Victor M. Fernandez-Castro 
Director of engineering | vic...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c322da24-d723-42ea-8a93-972233cf32b2n%40googlegroups.com.