search

cea-sec / openwec

An implementation of a Windows Event Collector server running on GNU/Linux.
GNU General Public License v3.0
42 stars 18 forks source link

Any chance of configuring rustls to support Windows 7 supported Cipher Suites #137

Open z3ndrag0n opened 1 month ago

z3ndrag0n commented 1 month ago

Windows 7 does support TLS 1.2 however the only cipher suites supported are the following (which means the TLS 1.2 handshake fails) is there any way to support additional cipher suites in rustls (or use native-tls) for openwec? image

vruello commented 1 month ago

Hi!

I'm not an expert on this subject.

Did you try to follow the instructions written in the documentation about TLS? There is a script example to generate certificates that should be compatible with old versions of Windows (especially Windows 7), using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suites.

The cipher suites you listed seem very incomplete to me, even for Windows 7 (see TLS Cipher Suites in Windows 7). Maybe you are missing some KB?

z3ndrag0n commented 1 month ago

You're 100% right - with the appropriate patch(es) for TLS 1.2 on Windows 7 I do indeed get a Server Hello with an agreed cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and a certificate request, however Windows 7 immediately tears down the connection. I'll go hunting.

z3ndrag0n commented 1 month ago

Ok so what seems to happen is that Windows 7 does not present its certificate (the response to the Certificate request is 187 bytes) and the Server then tears down the connection with a Fatal Alert Certificate Required. (And OpenWEC agrees: its corresponding syslog entry is "Jun 11 09:33:16 debian-12-lc openwecd[22803]: 2024-06-11T09:33:16.820272364+00:00 WARN server - Error while establishing a connection: TlsAcceptError { error: Custom { kind: InvalidData, error: NoCertificatesPresented }, peer_addr: 192.168.186.130:49337 }"

vruello commented 1 month ago

Hi! You should make sure that the client is configured correctly , especially that the Network Service account (or the WinRM service account) is allowed to retrieve the private key of the client's authentication certificate.

You should also check Windows Events from Eventlog-ForwardingPlugin (Operational) and Windows Remote Management (Analytics, needs to be enabled in the View drop-down).