Add server certificate validation to wazuh agent #444

Nicogp · 2024-12-18T17:48:29Z

Related issue
#389

Description

This PR adds server certificate validation.
For server connections when the agent is already registered, a new configuration option is added to control which mode will be used:

agent:
  verification_mode: full

Possible Values:

full (default):
- Validates that the server certificate is signed by a trusted CA.
- Ensures the server hostname matches the certificate's SAN or CN.
certificate:
- Validates that the server certificate is signed by a trusted CA.
- Does not validate the server hostname.
none:
- Disables all certificate validation.
- No checks are performed on the certificate's CA signature or the server hostname.
- Note: This mode disables critical SSL/TLS security features and is not recommended for production environments.

To perform the registration of the agent, a new option was added to the CLI “--verification-mode”, the values that can take are the same as for the previous case:

wazuh-agent --register-agent --user user --password pass --url https://serverIP:55000 --verification-mode certificate

Tests

Compilation without warnings in every supported platform
- Linux
- Windows
- MAC OS X

aritosteles

LGTM

jr0me

LGTM

…stead of getting it from configuration

TomasTurina · 2024-12-19T14:53:49Z

src/agent/communicator/include/http_request_params.hpp

@@ -32,6 +33,7 @@ namespace http_client
                          const std::string& serverUrl,
                          std::string endpoint,
                          std::string userAgent,
+                          std::string verificationMode,


Add to list of parameters.

TomasTurina · 2024-12-19T16:20:17Z

src/agent/communicator/tests/http_client_test.cpp

Add tests for certificate and none cases.

TomasTurina · 2024-12-19T16:29:38Z

src/agent/src/process_options.cpp

@@ -30,7 +31,7 @@ void RegisterAgent(const std::string& url,
            agent_registration::AgentRegistration reg(url, user, password, key, name, dbFolderPath);

            http_client::HttpClient httpClient;
-            if (reg.Register(httpClient))
+            if (reg.Register(httpClient, verificationMode))


I wonder why you didn't choose to add an m_verificationMode data member in the AgentRegistration class.
Although I like it better this way because it makes the Register function easier to test.

TomasTurina · 2024-12-19T16:30:34Z

src/agent/tests/agent_registration_test.cpp

… agent and windows agent

…ificationMode.

…ration class

Nicogp linked an issue Dec 18, 2024 that may be closed by this pull request

Add Server Certificate Validation to Wazuh Agent #389

Open

Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from f7d9753 to 2e7d6af Compare December 18, 2024 17:56

aritosteles approved these changes Dec 18, 2024

View reviewed changes

jr0me approved these changes Dec 18, 2024

View reviewed changes

Nicogp added 3 commits December 19, 2024 11:30

feat: gets the validation_mode parameter from the configuration

ac50923

feat(communicator): added method to set the verification mode

d15a87d

feat(RegisterAgent): get the verification-mode option from the CLI in…

967804a

…stead of getting it from configuration

Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from 2e7d6af to 967804a Compare December 19, 2024 14:39

TomasTurina reviewed Dec 19, 2024

View reviewed changes

src/agent/communicator/tests/http_client_test.cpp Outdated

Copy link

Member

TomasTurina Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add tests for certificate and none cases.

TomasTurina reviewed Dec 19, 2024

View reviewed changes

src/agent/tests/agent_registration_test.cpp Outdated

Copy link

Member

TomasTurina Dec 19, 2024 •

edited

Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

feat(communicator): separate certificate verification logic for linux…

76efee1

… agent and windows agent

Nicogp force-pushed the enhancement/389-add-server-certificate-validation-to-wazuh-agent branch from bc909d7 to 76efee1 Compare December 24, 2024 00:25

Nicogp added 2 commits December 26, 2024 11:53

test(httpClient): a check has been added to verify the call to SetVer…

16d5f60

…ificationMode.

feat(AgentRegistration): makes validationMode a member of AgentRegist…

b803df7

…ration class

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add server certificate validation to wazuh agent #444

Add server certificate validation to wazuh agent #444

Nicogp commented Dec 18, 2024

aritosteles left a comment

jr0me left a comment

TomasTurina Dec 19, 2024

TomasTurina Dec 19, 2024

TomasTurina Dec 19, 2024

TomasTurina Dec 19, 2024 •

edited

Loading

Add server certificate validation to wazuh agent #444

Are you sure you want to change the base?

Add server certificate validation to wazuh agent #444

Conversation

Nicogp commented Dec 18, 2024

Description

Tests

aritosteles left a comment

Choose a reason for hiding this comment

jr0me left a comment

Choose a reason for hiding this comment

TomasTurina Dec 19, 2024

Choose a reason for hiding this comment

TomasTurina Dec 19, 2024

Choose a reason for hiding this comment

TomasTurina Dec 19, 2024

Choose a reason for hiding this comment

TomasTurina Dec 19, 2024 • edited Loading

Choose a reason for hiding this comment

TomasTurina Dec 19, 2024 •

edited

Loading