Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wazuh-api TLS configuration - enabling TLSv1.3 #7340

Open
artur-borys opened this issue May 27, 2024 · 1 comment
Open

wazuh-api TLS configuration - enabling TLSv1.3 #7340

artur-borys opened this issue May 27, 2024 · 1 comment

Comments

@artur-borys
Copy link

Hi!

Thanks for your great work!

I'm creating an alternative ansible-playbook for installing wazuh (for learning purposes and also finding if there's anything to be improved) and right now I'm focusing on security hardening. Part of that hardening is configuring the enabled TLS ciphersuites and TLS version.

I see that in the documentation for wazuh-api, you're only mentioning TLS versions up to TLSv1.2. I know that this is probably coming from how Python is handling TLS version configuration, where it doesn't provide a way to explicitly enable TLSv1.3 (https://docs.python.org/3/library/ssl.html#ssl.SSLContext). Python seems to follow system-wide openssl configuration, mainly the MinProtocol parameter (seem like the MaxProtocol can be overridden in SSLContext).

The OS where I'm deploying Wazuh has MinProtocol set to TLSv1.2 - still secure nowadays.

The default value for https.ssl_protocol in api.yaml is TLSv1.2, which seems to disable TLSv1.3.

I've discovered that I can set it to "TLS" instead, and Python will follow openssl system-wide configuration, which is >= TLSv1.2 and <= TLSv1.3.

All of this revolves around how OS crypto-policies is configured.

I guess it would be nice to mention this somewhere in the documentation, i.e:

To enable TLSv1.3, set the https.ssl_protocol to "TLS". Keep in mind that Python (which is the language that wazuh-api is written in) follows OpenSSL system wide configuration. Make sure that the OpenSSL MinProtocol parameter is configured to the lowest SSL/TLS version you want to support. Currently, TLSv1.2 is the oldest recommended version of SSL/TLS. If you're using a recent release of any major Linux distribution, OpenSSL should already be configured to allow only >=TLSv1.2. On major Linux distributions, this is configured by crypto-policies. Nowadays, the DEFAULT policy allows TLSv1.2 and TLSv1.3. To verify, check if /etc/crypto-policies/back-ends/opensslcnf.config contains *.MinProtocol and *.MaxProtocol parameters that you wish to use (recommended MinProtocol = TLSv1.2 and MaxProtocol = TLSv1.3. Refer to man crypto-policies for more information.

NOTE: The same probably applies to wazuh-authd, but I have yet to take a look at that
@artur-borys
Copy link
Author

I see that it might've been dealt with in commit wazuh/wazuh@eef6b39, where there's a new value for this parameter - "auto", which means using ssl.PROTOCOL_TLS_SERVER for the SSLContext. In that case, I guess the documentation will also be updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@artur-borys