search

wazuh / wazuh-documentation

Wazuh - Project documentation
https://wazuh.com
198 stars 356 forks source link

wazuh-api TLS configuration - enabling TLSv1.3 #7340

Open artur-borys opened 6 months ago

artur-borys commented 6 months ago

Hi!

Thanks for your great work!

I'm creating an alternative ansible-playbook for installing wazuh (for learning purposes and also finding if there's anything to be improved) and right now I'm focusing on security hardening. Part of that hardening is configuring the enabled TLS ciphersuites and TLS version.

I see that in the documentation for wazuh-api, you're only mentioning TLS versions up to TLSv1.2. I know that this is probably coming from how Python is handling TLS version configuration, where it doesn't provide a way to explicitly enable TLSv1.3 (https://docs.python.org/3/library/ssl.html#ssl.SSLContext). Python seems to follow system-wide openssl configuration, mainly the MinProtocol parameter (seem like the MaxProtocol can be overridden in SSLContext).

The OS where I'm deploying Wazuh has MinProtocol set to TLSv1.2 - still secure nowadays.

The default value for https.ssl_protocol in api.yaml is TLSv1.2, which seems to disable TLSv1.3.

I've discovered that I can set it to "TLS" instead, and Python will follow openssl system-wide configuration, which is >= TLSv1.2 and <= TLSv1.3.

All of this revolves around how OS crypto-policies is configured.

I guess it would be nice to mention this somewhere in the documentation, i.e:

To enable TLSv1.3, set the https.ssl_protocol to "TLS". Keep in mind that Python (which is the language that wazuh-api is written in) follows OpenSSL system wide configuration. Make sure that the OpenSSL MinProtocol parameter is configured to the lowest SSL/TLS version you want to support. Currently, TLSv1.2 is the oldest recommended version of SSL/TLS. If you're using a recent release of any major Linux distribution, OpenSSL should already be configured to allow only >=TLSv1.2. On major Linux distributions, this is configured by crypto-policies. Nowadays, the DEFAULT policy allows TLSv1.2 and TLSv1.3. To verify, check if /etc/crypto-policies/back-ends/opensslcnf.config contains *.MinProtocol and *.MaxProtocol parameters that you wish to use (recommended MinProtocol = TLSv1.2 and MaxProtocol = TLSv1.3. Refer to man crypto-policies for more information.

NOTE: The same probably applies to wazuh-authd, but I have yet to take a look at that

artur-borys commented 6 months ago

I see that it might've been dealt with in commit https://github.com/wazuh/wazuh/commit/eef6b39bc2d1d1f3e6f4b8adfada8debb577b81e, where there's a new value for this parameter - "auto", which means using ssl.PROTOCOL_TLS_SERVER for the SSLContext. In that case, I guess the documentation will also be updated