Discussion:
[ossec-list] OSSEC TLS 1.2 Question
Kumar G
2018-11-15 19:22:16 UTC
Permalink
Hi Team.

We have a requirement of getting all the agent to server communication to
go over TLS 1.2. Could anyone help understand if we have feasibility of
having the TLS 1.2 configurable for the agent communication for both agent
registration (ossec-authd) and for the agent data that is being sent to
Management server on UDP/1514.

Does OSSEC agent data / events sent over DTLS (TLS1.2 on UDP) to Manager.

If you can shower any information on this, that would be great.Our current
version is at 2.8.x.


Thanks
Kumar
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-15 19:51:04 UTC
Permalink
Post by Kumar G
Hi Team.
We have a requirement of getting all the agent to server communication to go over TLS 1.2. Could anyone help understand if we have feasibility of having the TLS 1.2 configurable for the agent communication for both agent registration (ossec-authd) and for the agent data that is being sent to Management server on UDP/1514.
For authd:
https://github.com/ossec/ossec-hids/blob/master/src/os_auth/ssl.c#L107
Post by Kumar G
Does OSSEC agent data / events sent over DTLS (TLS1.2 on UDP) to Manager.
Nope.
Post by Kumar G
If you can shower any information on this, that would be great.Our current version is at 2.8.x.
Thanks
Kumar
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-15 19:51:48 UTC
Permalink
Post by dan (ddp)
Post by Kumar G
Hi Team.
We have a requirement of getting all the agent to server communication to go over TLS 1.2. Could anyone help understand if we have feasibility of having the TLS 1.2 configurable for the agent communication for both agent registration (ossec-authd) and for the agent data that is being sent to Management server on UDP/1514.
https://github.com/ossec/ossec-hids/blob/master/src/os_auth/ssl.c#L107
Post by Kumar G
Does OSSEC agent data / events sent over DTLS (TLS1.2 on UDP) to Manager.
Nope.
Post by Kumar G
If you can shower any information on this, that would be great.Our current version is at 2.8.x.
Oops, I didn't read that until after I hit send. No clue if that was
present that long ago,
but it should be easy to figure out based on my link above.
Post by dan (ddp)
Post by Kumar G
Thanks
Kumar
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kumar G
2018-11-16 16:14:20 UTC
Permalink
Thank you Dan.

I checked the URL and the authd TLS1.2 is available. However not able to
track down which source sends out the data over secure connection over UDP.

If any one has done the data transmission over TLS 1.2, please help with
code modification.


Thanks
Kumar
Post by Kumar G
Post by dan (ddp)
Post by Kumar G
Hi Team.
We have a requirement of getting all the agent to server communication
to go over TLS 1.2. Could anyone help understand if we have feasibility of
having the TLS 1.2 configurable for the agent communication for both agent
registration (ossec-authd) and for the agent data that is being sent to
Management server on UDP/1514.
Post by dan (ddp)
https://github.com/ossec/ossec-hids/blob/master/src/os_auth/ssl.c#L107
Post by Kumar G
Does OSSEC agent data / events sent over DTLS (TLS1.2 on UDP) to
Manager.
Post by dan (ddp)
Nope.
Post by Kumar G
If you can shower any information on this, that would be great.Our
current version is at 2.8.x.
Oops, I didn't read that until after I hit send. No clue if that was
present that long ago,
but it should be easy to figure out based on my link above.
Post by dan (ddp)
Post by Kumar G
Thanks
Kumar
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
Post by dan (ddp)
Post by Kumar G
To unsubscribe from this group and stop receiving emails from it, send
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-16 16:32:58 UTC
Permalink
Post by Kumar G
Thank you Dan.
I checked the URL and the authd TLS1.2 is available. However not able to track down which source sends out the data over secure connection over UDP.
ossec-agentd source is here:
https://github.com/ossec/ossec-hids/tree/master/src/client-agent
Post by Kumar G
If any one has done the data transmission over TLS 1.2, please help with code modification.
Thanks
Kumar
Post by dan (ddp)
Post by dan (ddp)
Post by Kumar G
Hi Team.
We have a requirement of getting all the agent to server communication to go over TLS 1.2. Could anyone help understand if we have feasibility of having the TLS 1.2 configurable for the agent communication for both agent registration (ossec-authd) and for the agent data that is being sent to Management server on UDP/1514.
https://github.com/ossec/ossec-hids/blob/master/src/os_auth/ssl.c#L107
Post by Kumar G
Does OSSEC agent data / events sent over DTLS (TLS1.2 on UDP) to Manager.
Nope.
Post by Kumar G
If you can shower any information on this, that would be great.Our current version is at 2.8.x.
Oops, I didn't read that until after I hit send. No clue if that was
present that long ago,
but it should be easy to figure out based on my link above.
Post by dan (ddp)
Post by Kumar G
Thanks
Kumar
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dave Stoddard
2018-11-17 19:20:09 UTC
Permalink
This post might be inappropriate. Click to display it.
dan (ddp)
2018-11-17 20:31:12 UTC
Permalink
How does dtls factor into this? I briefly looked at the wikipedia entry,
but haven’t dug into it yet.
Post by Dave Stoddard
Just a note that TLS 1.2 cannot be implemented over UDP. To meet the TLS
1.2 spec, you must use TCP as it requires a connection-oriented protocol.
UDP is connectionless - it provides no guarantee that the packet was
received at the other end, and there is no guarantee that the packet
received by the server originated with the sender IP address found in the
UDP packet.
TCP requires a three-way handshake to ensure the connection is
established, that the two parties to the connection are genuine, and to
ensure that packets that are sent are received in the correct sequence.
Once the connection is established over TCP, the client requests a secure
connection with a list of supported ciphers and hashes. The server picks a
cipher and hash and returns the choice to the client. Then the server
provides a signed certificate to the client (usually signed by a third
party certificate authority), which contains the server's public key. The
client verifies the certificate and returns its public key to the server in
an encrypted connection using the server's public key to encrypt the
response (it is a little more complicated than that, but that is the gist
of it in a nutshell). Once the key exchange is completed, data can be
exchanged. TLS 1.2 is generally used to support encrypted data exchange
when you do not have control over both the client and the server (which is
typical for HTTPS or SMTPS).
When UDP is used, it is more common to use symmetric keys for data
exchange, such as AES 256 with a pre-shared key (PSK). This is the way
encryption is implemented for UDP in OSSEC. AES 256 meets the requirements
for HIPAA, PDI DSS 3.2, and DFARS (NIST 800-171). Of course, you can use
symmetric key cryptography with TCP too. When public key cryptography is
used for encryption, as provided through TLS 1.2, the specification of TLS
1.2 for HIPAA, PCI DSS, and other regulatory compliance is done to stop
people from using earlier (flawed) versions of PKI, such as SSL 2, SSL 3,
TLS 1.0, and TLS 1.1.
While it is generally recommended not to "roll your own" cryptography, the
open source OpenSSL library provides a complete set of wrapper functions
through the EVP interface that make it easy to implement encryption for
almost any cipher using C/C++ (Google for "openssl evp functions" for more
info). Most mainstream programming languages provide libraries to support
encryption protocols, including Python, Perl, Go, and many others. Hope
this helps. Best,
Dave Stoddard
Network Alarm Corporation
https://networkalarmcorp.com
https://redgravity.net
dgs at networkalarmcorp dot com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David Stoddard
2018-11-17 23:37:03 UTC
Permalink
This post might be inappropriate. Click to display it.
Loading...