Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add server certificate validation to wazuh agent #444

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

Nicogp
Copy link
Member

@Nicogp Nicogp commented Dec 18, 2024

Related issue
#389

Description

This PR adds server certificate validation.
For server connections when the agent is already registered, a new configuration option is added to control which mode will be used:

agent:
  verification_mode: full

Possible Values:

  • full (default):
    • Validates that the server certificate is signed by a trusted CA.
    • Ensures the server hostname matches the certificate's SAN or CN.
  • certificate:
    • Validates that the server certificate is signed by a trusted CA.
    • Does not validate the server hostname.
  • none:
    • Disables all certificate validation.
    • No checks are performed on the certificate's CA signature or the server hostname.
    • Note: This mode disables critical SSL/TLS security features and is not recommended for production environments.

To perform the registration of the agent, a new option was added to the CLI “--verification-mode”, the values that can take are the same as for the previous case:

wazuh-agent --register-agent --user user --password pass --url https://serverIP:55000 --verification-mode certificate

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X

@Nicogp Nicogp linked an issue Dec 18, 2024 that may be closed by this pull request
@Nicogp Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from f7d9753 to 2e7d6af Compare December 18, 2024 17:56
Copy link
Contributor

@aritosteles aritosteles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@jr0me jr0me left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Nicogp Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from 2e7d6af to 967804a Compare December 19, 2024 14:39
@@ -32,6 +33,7 @@ namespace http_client
const std::string& serverUrl,
std::string endpoint,
std::string userAgent,
std::string verificationMode,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to list of parameters.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add tests for certificate and none cases.

@@ -30,7 +31,7 @@ void RegisterAgent(const std::string& url,
agent_registration::AgentRegistration reg(url, user, password, key, name, dbFolderPath);

http_client::HttpClient httpClient;
if (reg.Register(httpClient))
if (reg.Register(httpClient, verificationMode))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder why you didn't choose to add an m_verificationMode data member in the AgentRegistration class.
Although I like it better this way because it makes the Register function easier to test.

Copy link
Member

@TomasTurina TomasTurina Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Nicogp Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from bc909d7 to 76efee1 Compare December 24, 2024 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Server Certificate Validation to Wazuh Agent
4 participants