Disabling TLS 1.1 from Dashboard

[Pedro Ribeiro]

Hello, 

We are doing a compliance Assessment, and one of the points is to disable old ciphers like TLS 1.0, TLS 1.1. When I do a SSLSCAN using my Kali direct to my address we receive this information:

##################################

Testing SSL server XX.XX.XX.XX on port 443 using SNI name XX.XX.XX.XX

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve 25519 DHE 253

##################################

I tried to follow the documentation from opensearch about it  (https://opensearch.org/docs/latest/security-plugin/configuration/tls/#advanced-enabled-ciphers-and-protocols) but the output was that only TLS 1.2 was enabled:

 plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"

How can we fully disable the TLS 1.1 ?

Regards.

Pedro Ribeiro  

[Tomas Benitez Vescio]

Hi,

Thanks for using Wazuh!

If you want to disable the use of TLS 1.1 you should make sure you have the following configuration:

Wazuh Indexer ( /etc/wazuh-indexer/opensearch.yml )

plugins.security.ssl.http.enabled_protocols: 

     - "TLSv1.2"

plugins.security.ssl.transport.enabled_protocols: 

    - "TLSv1.2"

Wazuh Dashboard ( /etc/wazuh-dashboard/opensearch_dashboards.yml )

server.ssl.supportedProtocols: ["TLSv1.2"]

If you make any changes to the any configuration file make sure to restart that instance.

Regards.

[Pedro Ribeiro]

@tomas thank you for your help. I made the changes that you told and restarted Wazuh Indexer and Dashboard services.

[Randy Phookun]

Hello, TLS1.1 has been disabled via:

Wazuh Dashboard ( /etc/wazuh-dashboard/opensearch_dashboards.yml )

server.ssl.supportedProtocols: ["TLSv1.2"]

How do I enable supported ciphers list to include ONLY : ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]

What is a valid variable for this in /etc/wazuh-dashboard/opensearch_dashboards.yml  ??

We have a compliance requirement to LIMIT all TLSv1.2 supported cipher suites to ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"].

A quick test of the same fqdn for our-wazuz by ssllabs indicates a whole bunch of weak-ciphers are enabled that TLSv2 has always included for backward compatibility.

[Randy Phookun]

Wazuh ver: 4.3.10 if that helps.