OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
We are looking to have the agents verify the CA cert that the server is going to use to establish communication as to have the agents register themselves without a pre-existing key-pair for each agent, as the agents will be ephemeral servers and will be rotated periodically.
So with that said, I've been following the instructions where we generate a CA cert, and run the ossec-authd with the '-v' option
20506FABFFFF0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40``
I've been testing OSSEC 3.7, on Ubuntu 22.04 and 20.04 as the HUB. I've done this using a Parallels VM on an M1 (arm64) and we've also experienced this within AWS on an amd64 Ubuntu 22.04 image.
So unless I am somehow really incorrectly generating my CA or sslmanager.cert (which I am signing with the CA cert) then I don't understand what I've got borked.
The CA has been added using the update-ca-certificates command on the server/hub and the agent.
I tried this with the master version of ossec-hids and the specific 3.7.0 branch. We also experienced this with the 22.04 rpm.
I followed the instructions for installing OSSEC.
We are looking to have the agents verify the CA cert that the server is going to use to establish communication as to have the agents register themselves without a pre-existing key-pair for each agent, as the agents will be ephemeral servers and will be rotated periodically.
So with that said, I've been following the instructions where we generate a CA cert, and run the ossec-authd with the '-v' option
Example:
/var/ossec/bin/ossec-authd -v /var/ossec/etc/myCA.cert -dThe CA file looks fine when I run openssl to verify it.
I've been recreating the error via
openssl s_client -host 10.211.55.8 -port 1515 -debug -trace``write to 0xaaab0a0d0ea0 [0xaaab0a0e2160] (105 bytes => 105 (0x69)) 0000 - 16 03 03 00 07 0b 00 00-03 00 00 00 16 03 03 00 ................ 0010 - 25 10 00 00 21 20 1e 82-bb b9 4f 5f c6 ec 51 34 %...! ....O_..Q4 0020 - 6e 1a dd e4 8a 0f 0b b9-bc 12 f0 66 fb 47 6d f8 n..........f.Gm. 0030 - 45 51 25 2f cb 22 14 03-03 00 01 01 16 03 03 00 EQ%/.".......... 0040 - 28 e1 6c 0b 70 63 7a 70-a9 b3 e2 f1 44 fa a2 7b (.l.pczp....D..{ 0050 - 25 01 44 bc 86 fa 04 2b-eb 0d 91 23 c0 ff 98 bc %.D....+...#.... 0060 - 43 37 4a 5f 55 86 0a 4d-5f C7JU..M read from 0xaaab0a0d0ea0 [0xaaab0a0d8f43] (5 bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... Received Record Header: Version = TLS 1.2 (0x303) Content Type = Alert (21) Length = 2 read from 0xaaab0a0d0ea0 [0xaaab0a0d8f48] (2 bytes => 2 (0x2)) 0000 - 02 28 .( Level=fatal(2), description=handshake failure(40)
20506FABFFFF0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40``
I've been testing OSSEC 3.7, on Ubuntu 22.04 and 20.04 as the HUB. I've done this using a Parallels VM on an M1 (arm64) and we've also experienced this within AWS on an amd64 Ubuntu 22.04 image.
So unless I am somehow really incorrectly generating my CA or sslmanager.cert (which I am signing with the CA cert) then I don't understand what I've got borked.
The CA has been added using the
update-ca-certificatescommand on the server/hub and the agent.I tried this with the master version of ossec-hids and the specific 3.7.0 branch. We also experienced this with the 22.04 rpm.