You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm creating an alternative ansible-playbook for installing wazuh (for learning purposes and also finding if there's anything to be improved) and right now I'm focusing on security hardening. Part of that hardening is configuring the enabled TLS ciphersuites and TLS version.
I see that in the documentation for wazuh-api, you're only mentioning TLS versions up to TLSv1.2. I know that this is probably coming from how Python is handling TLS version configuration, where it doesn't provide a way to explicitly enable TLSv1.3 (https://docs.python.org/3/library/ssl.html#ssl.SSLContext). Python seems to follow system-wide openssl configuration, mainly the MinProtocol parameter (seem like the MaxProtocol can be overridden in SSLContext).
The OS where I'm deploying Wazuh has MinProtocol set to TLSv1.2 - still secure nowadays.
The default value for https.ssl_protocol in api.yaml is TLSv1.2, which seems to disable TLSv1.3.
I've discovered that I can set it to "TLS" instead, and Python will follow openssl system-wide configuration, which is >= TLSv1.2 and <= TLSv1.3.
All of this revolves around how OS crypto-policies is configured.
I guess it would be nice to mention this somewhere in the documentation, i.e:
To enable TLSv1.3, set the https.ssl_protocol to "TLS". Keep in mind that Python (which is the language that wazuh-api is written in) follows OpenSSL system wide configuration. Make sure that the OpenSSL MinProtocol parameter is configured to the lowest SSL/TLS version you want to support. Currently, TLSv1.2 is the oldest recommended version of SSL/TLS. If you're using a recent release of any major Linux distribution, OpenSSL should already be configured to allow only >=TLSv1.2. On major Linux distributions, this is configured by crypto-policies. Nowadays, the DEFAULT policy allows TLSv1.2 and TLSv1.3. To verify, check if /etc/crypto-policies/back-ends/opensslcnf.config contains *.MinProtocol and *.MaxProtocol parameters that you wish to use (recommended MinProtocol = TLSv1.2 and MaxProtocol = TLSv1.3. Refer to man crypto-policies for more information.
NOTE: The same probably applies to wazuh-authd, but I have yet to take a look at that
The text was updated successfully, but these errors were encountered:
I see that it might've been dealt with in commit wazuh/wazuh@eef6b39, where there's a new value for this parameter - "auto", which means using ssl.PROTOCOL_TLS_SERVER for the SSLContext. In that case, I guess the documentation will also be updated
Hi!
Thanks for your great work!
I'm creating an alternative ansible-playbook for installing wazuh (for learning purposes and also finding if there's anything to be improved) and right now I'm focusing on security hardening. Part of that hardening is configuring the enabled TLS ciphersuites and TLS version.
I see that in the documentation for wazuh-api, you're only mentioning TLS versions up to TLSv1.2. I know that this is probably coming from how Python is handling TLS version configuration, where it doesn't provide a way to explicitly enable TLSv1.3 (https://docs.python.org/3/library/ssl.html#ssl.SSLContext). Python seems to follow system-wide openssl configuration, mainly the MinProtocol parameter (seem like the MaxProtocol can be overridden in SSLContext).
The OS where I'm deploying Wazuh has MinProtocol set to TLSv1.2 - still secure nowadays.
The default value for
https.ssl_protocol
inapi.yaml
is TLSv1.2, which seems to disable TLSv1.3.I've discovered that I can set it to "TLS" instead, and Python will follow openssl system-wide configuration, which is >= TLSv1.2 and <= TLSv1.3.
All of this revolves around how OS
crypto-policies
is configured.I guess it would be nice to mention this somewhere in the documentation, i.e:
NOTE: The same probably applies to
wazuh-authd
, but I have yet to take a look at thatThe text was updated successfully, but these errors were encountered: