Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Server Certificate Validation to Wazuh Agent #389

Open
vikman90 opened this issue Dec 5, 2024 · 1 comment · May be fixed by #444
Open

Add Server Certificate Validation to Wazuh Agent #389

vikman90 opened this issue Dec 5, 2024 · 1 comment · May be fixed by #444
Assignees
Labels

Comments

@vikman90
Copy link
Member

vikman90 commented Dec 5, 2024

Description

Currently, the Wazuh Agent supports communication over HTTP and HTTPS but does not validate the server's SSL/TLS certificate. This lack of validation introduces potential security risks, such as exposure to man-in-the-middle attacks. To mitigate these risks, we propose adding functionality for certificate validation to the agent.

Proposed Changes

We will enhance the agent to:

  1. Validate that the server certificate is signed by a trusted Certificate Authority (CA) installed in the system's standard directories.
  2. Ensure the server's hostname matches the Subject Alternative Name (SAN) or Common Name (CN) in the server certificate.

New Configuration Parameter

Introduce a new configuration parameter in the agent.yml file to control the verification behavior:

agent:
  verification_mode: full

Possible Values:

  • full (default):
    • Validates that the server certificate is signed by a trusted CA.
    • Ensures the server hostname matches the certificate's SAN or CN.
  • certificate:
    • Validates that the server certificate is signed by a trusted CA.
    • Does not validate the server hostname.
  • none:
    • Disables all certificate validation.
    • No checks are performed on the certificate's CA signature or the server hostname.
      Note: This mode disables critical SSL/TLS security features and is not recommended for production environments.

Benefits

  • Enhanced Security: Prevents unauthorized servers from impersonating trusted endpoints.
  • Flexibility: Allows users to choose the appropriate level of validation for their use case.
  • Compliance: Meets industry standards for secure communications over SSL/TLS.

Tasks

  1. Update the Wazuh Agent to support certificate validation.
  2. Modify the configuration parser to include the new verification_mode parameter.
  3. Implement logic for certificate signature validation and hostname matching.
  4. Add fallback behavior when validation fails, including clear logging messages.

Testing

  • Unit tests for each verification mode (full, certificate, none).
  • Integration tests using mock servers with valid and invalid certificates.
  • Compatibility tests on supported platforms to ensure correct CA directory usage.
@Nicogp
Copy link
Member

Nicogp commented Dec 11, 2024

Work update

2024/12/10

  • I started with the issue, analyzed the requirements.
  • I did some research on certificate validation certs with boost.
  • I did a little PoC but so far no success.

2024/12/11

  • I performed a PoC for all three cases, now the result was satisfactory.
  • For the cases where it must validate, the server certificate was added as valid in the agent.

2024/12/12

  • I have added the configuration option
  • I have added that the configuration is read from agent_register and from the communicator.

2024/12/16

  • I added a method to set the verification mode in the HttpsSocket class
  • I added the changes so that the option read from the configuration reaches the added method
  • I corrected the tests that did not pass due to the changes introduced

2024/12/17

  • I made changes to the register, the verification-mode option will be obtained from the CLI parameters.
  • I started testing on Windows

No certificate configured:

Register-agent

.\wazuh-agent --register-agent --password wazuh --user wazuh --url https://192.168.0.177:55000
Starting wazuh-agent registration
Failed to authenticate with the manager
wazuh-agent registration failed

EventData:
[2024-12-17 16:24:44.551] [wazuh-agent] [error] [ERROR] [C:\Users\54358\Desktop\Trabajo\wazuh-agent\src\agent\communicator\src\http_client.cpp:428] [PerformHttpRequestInternal] Error: Error connecting to host: asio.ssl error.

Register-agent validation-mode=none

.\wazuh-agent --register-agent --password wazuh --user wazuh --url https://192.168.0.177:55000 --verification-mode none
Starting wazuh-agent registration
wazuh-agent registered

wazuh-agent --run

agent:
  server_url: https://192.168.0.177:27000
  retry_interval: 5s
  verification_mode: none
  batch_size: 1MB

Agent connected and reporting correctly:
Image

wazuh-agent --run (verification_mode: full)

agent:
  server_url: https://192.168.0.177:27000
  retry_interval: 5s
  verification_mode: full
  batch_size: 1MB

The agent fails to connect due to certificate validation:
EventData:
[2024-12-17 20:52:34.519] [wazuh-agent] [error] [ERROR] [C:\Users\54358\Desktop\Trabajo\wazuh-agent\src\agent\communicator\src\http_client.cpp:428] [PerformHttpRequestInternal] Error: Error connecting to host: asio.ssl error.

2024/12/18

  • I have added the latest changes
  • I have continued testing in Windows, I can not add a certificate to the CA store of the OS so that it detects it as valid and wazuh-agent can connect validating the certificate.

2024/12/19

  • I performed branch rebasing and resolved conflicts with master
  • I fixed a small error when loading certificates in “certificate” mode.
  • While testing on Windows, I noticed the difficulty in accessing the Windows CA store from within the application. I tried with a custom CA certificate added to the CA store but then it was not visible by Openssl, the validation error was given both from wazuh-agent and using “openssl s_client -connect 192.168.0.177:27000”.

2024/12/20

  • I am still working on validation using the Windows CA strore.
  • I found a way to do it, this is by using the wincrypt API
  • I made a first PoC and so far the results are satisfactory.

2024/12/23

  • I separated the verification logic for Windows
  • I performed tests on the different cases, so far satisfactory.

@Nicogp Nicogp linked a pull request Dec 18, 2024 that will close this issue
3 tasks
@Nicogp Nicogp linked a pull request Dec 18, 2024 that will close this issue
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: In progress
Development

Successfully merging a pull request may close this issue.

2 participants