Project

General

Profile

Bug #299

TLS error with OSSEC

Added by over 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

Hello,

I installed prelude on [[OpenBSD]] 4.3 & registered 2 sensors, snort & prelude-lml successfully.

I have a problem with getting OSSEC to work with prelude. after registering the OSSEC sensor and running OSSEC i get the following error from prelude-manager: "TLS error: A TLS packet with unexpected length was received" and then prelude-manager closes the connection.

gnutls version is 2.0.4, OSSEC versions i tried : 1.4,1.5,1.51.
using prelude from [[OpenBSD]] package, versions :
libprelude - 0.9.15
prelude-manager - 0.9.9 (also tried compiling 0.9.13 from source - got the same error)

manager.diff View - Workaround for GnuTLS compression priority issue (1.12 KB) Yoann VANDOORSELAERE, 07/16/2008 02:22 PM

ossec.debug - ossec with LIBPRELUDE_TLS_DEBUG=10 (27.1 KB) , 07/16/2008 03:19 PM

prelude-manager.debug - prelude-manager with LIBPRELUDE_TLS_DEBUG=10 (50.3 KB) , 07/16/2008 03:20 PM

libprelude.diff View - Set default compression priority. (961 Bytes) Yoann VANDOORSELAERE, 07/16/2008 05:56 PM

History

#1 Updated by over 11 years ago

I tried removing the [[OpenBSD]] prelude packages and compile prelude + ossec from source.
now I get the following error from prelude when ossec tries to connect to prelude-manager :
"Ohhhh jeeee: operation is not possible without initialized secure memory"

#2 Updated by over 11 years ago

after installing from source I now get the "Ohhhh jeeee: operation is not possible without initialized secure memory" with other sensors too (prelude-lml, snort).

I tried doing a clean installation but got the same error.

versions are :

gnutls - 2.5.2
libgcrypt - 1.4.1
libgpg-error - 1.6
libprelude - 0.9.17.2
prelude-manager - 0.9.13

#3 Updated by Yoann VANDOORSELAERE over 11 years ago

Hi,

Prior to getting the

Ohhhh jeeee: operation is not possible without initialized secure memory

error message, what software versions where you using?

#4 Updated by over 11 years ago

Replying to [comment:3 yoann]:

Hi,

Prior to getting the

> Ohhhh jeeee: operation is not possible without initialized secure memory

error message, what software versions where you using?

Hello Yoann,

I was first using the 4.3 [[OpenBSD]] packages : libprelude-0.9.15,prelude-manager-0.9.9,gnutls 2.0.4
and had no problem with snort/prelude-lml sensors. problem started with OSSEC (TLS ERROR), so i
tried reinstalling and since it did not work I downloaded prelude source, installed it and since then i always
get the "secure memory" error when a sensor tries to connect to prelude-manager (registration works fine).

Thanks

#5 Updated by over 11 years ago

I reinstalled openbsd 4.3 from scratch, first thing after the installation i compiled latest gnutls 2.52,libgcrypt - 1.41 libgpg-error - 1.6
and then installed libprelude-0.9.17.2, prelude-manager-0.9.13 from source.

I still get the "secure memory" error when a sensor connects with prelude-manager...

#6 Updated by over 11 years ago

created another 4.3 clean installation under vmware server, compiled current versions from source , this time using gnutls 2.0.4 from openbsd 4.3 package - error is again "TLS error: A TLS packet with unexpected length was received".

#7 Updated by Yoann VANDOORSELAERE over 11 years ago

[[GnuTLS]] 2.5.x is development version: you probably should avoid it. I'd suggest sticking to [[GnuTLS]] 2.0.4.
To summarize, can you confirm that you are back to the following issue:

  • Starting OSSEC lead to unexpected length error on the Prelude-Manager side
    • What about the OSSEC side, what does it tell?
  • Prelude-LML and Snort, located on the same machine as OSSEC, are working.

Can you confirm this?

Additionally, please provide the output from the following command, both on the OSSEC and Prelude-Manager machine:

prelude-admin list -l

#8 Updated by over 11 years ago

just to make clear : I run all sensors (ossec server,snort,prelude-lml) on the same machine as prelude.

summary of behavior with gnutls 2.0.4 & default openbsd 4.3 packages of prelude.

1. ossec reponse when communicating with prelude-manager is "ossec-analysisd :prelude-client: Unable to initialize prelude client: TLS handshake failed: Could not negotiate a supported compression method.."

2. prelude-manager side says: "TLS error: A TLS packet with unexpected length was received" and then prelude-manager closes the connection.

3. i can confirm prelude-lml & snort working, both were installed prior to ossec.

I will run the prelude-admin command tomorrow (when ill be in front of the computer) and provide the input.

Thanks for your help!

#9 Updated by over 11 years ago

prelude-admin list -l output:

Profile UID GID [[AnalyzerID]] Permission Issuer [[AnalyzerID]]
---------------------------------------------------------------------
prelude-manager root wheel 556568847730105 n/a n/a
OSSEC ossec ossec 3784451519039096 idmef:w 556568847730105
prelude-lml root wheel 2102602455468194 idmef:w 556568847730105

#10 Updated by over 11 years ago

tried even again just to make sure :
installed openbsd 4.3, prelude from openbsd port, ossec from source. TLS error (unexpected length) again...
prelude-lml works fine though.

#11 Updated by Yoann VANDOORSELAERE over 11 years ago

Could you try starting OSSEC using either of the working Snort / Prelude-LML profile (you will have to use prelude-admin chown to make sure the profile fit OSSEC permissions).

Edit ossec.conf, and set:

<prelude_profile>your profile</prelude_profile>

#12 Updated by over 11 years ago

Hi Yoann,

1. I still get the same error after replacing OSSEC profile to prelude-lml.
2. I successfully installed latest prelude (from source, not openbsd package) + latest ossec on the same machine with gnutls-2.4.0.

#13 Updated by Yoann VANDOORSELAERE over 11 years ago

Thanks for the feedback! I'm suspecting a potential conflict problem between [[GnuTLS]] (which depend on libz), and OSSEC which seems to make use of it to.

One more things you can do to debug the problem, is to start both OSSEC and Prelude-Manager in the foreground with the following environment variable set:

LIBPRELUDE_TLS_DEBUG=10 prelude-manager >& /tmp/prelude-manager.debug
LIBPRELUDE_TLS_DEBUG=10 ossec >& /tmp/ossec.debug

Then provide us with both generated file (I'd advise to regenerate all your sensor profile once you'll be doing that, since the debug log might contain sensitive certificate information - or you can send me the log by mail privately).

Additionally, is the Prelude-Manager side [[GnuTLS]] version 2.0.4 too?

#14 Updated by Yoann VANDOORSELAERE over 11 years ago

  • Status changed from New to Assigned

You might want to apply manager.diff patch to Prelude-Manager and let us know whether this correct your problem. From my testing, it appear that [[GnuTLS]] set DEFLATE as the default compression protocol, although the documentation state that:

The Record protocol offers symmetric encryption, data authenticity, and optionally compression. 

So compression should be optional, but apparently client are not able to connect with no compression. As a result, if one end (client / Prelude-Manager) [[GnuTLS]] version is compiled without zlib support, the connection fail.

#15 Updated by over 11 years ago

Hey Yoann,

1. I attached the 2 debug files from ossec+prelude-manager.
2. prelude-manager + ossec server both installed on same machine so both use gnutls 2.0.4
3. Applying the patch to manager-auth.c did not help solve the problem (still the same error), but I could not find
the error message you added to manager-auth.c in the diff file...

#16 Updated by over 11 years ago

i checked the value of ret after the line : ret = gnutls_init(&session, GNUTLS_SERVER);
value is 0 (=GNUTLS_E_SUCCESS) so initialization of the TLS session is successful.

#17 Updated by Yoann VANDOORSELAERE over 11 years ago

Thanks for the feedback.
Attached another patch for libprelude : libprelude.diff, please apply and restart both Prelude-Manager then OSSEC.

Additionally, could you please provide the "ldd" output for libgnutls.so, and check whether zlib is linked, on both the client and server side?

#18 Updated by Yoann VANDOORSELAERE over 11 years ago

Replying to [comment:16 anonymous]:

i checked the value of ret after the line : ret = gnutls_init(&session, GNUTLS_SERVER);
value is 0 (=GNUTLS_E_SUCCESS) so initialization of the TLS session is successful.

Yes, that is expected: the problem occur within gnutls_handshake(), where both client and server are not able to negotiate a compatible compression scheme (or no compression scheme at all. Which should obviously work).

#19 Updated by over 11 years ago

1. ldd /usr/local/lib/libgnutls.so.13.0 : linked with libz.so.4.1 (same machine)

2. applying the libprelude patch solved the problem.

thanks for all the help!

(BTW, dont know if you saw the message but i got it working yesterday with gnutls 2.4.0. so it works without the patch with 2.4.0 but patch is required for 2.0.4 & 2.5.2 - these are the versions i tested)

#20 Updated by Yoann VANDOORSELAERE over 11 years ago

Look like we're finally getting somewhere! There is one more clarification that we need in order to fixes the problem directly from the Prelude sources: does libprelude.diff fixes the problem with and without manager.diff applied?

#21 Updated by over 11 years ago

I uninstalled prelude-manager & installed the version from source again (without the patch) - authentication with ossec succeeded.
so the fix in libprelude module is sufficient to solve this problem.

#22 Updated by Yoann VANDOORSELAERE over 11 years ago

Thanks! In the modified libprelude source, could you locate the following line:

        const int c_prio[] = { GNUTLS_COMP_NULL, GNUTLS_COMP_DEFLATE, 0 }; 

And change it to:

        const int c_prio[] = { GNUTLS_COMP_NULL, 0 }; 

And tell me whether everything still work correctly?

#23 Updated by over 11 years ago

works fine after the change.
so you basically disable protocol compression or fallback to no compression if handshake fails?

#24 Updated by Yoann VANDOORSELAERE over 11 years ago

The workaround explicitly disable TLS deflate compression in the client. [[GnuTLS]] default settings is that deflate is not used, but for some reason, in your case, it seems to be marked as the default compression method, leading to a failure since Prelude-Manager is not configured to support it. I guess this probably have to do with the OSSEC zlib dependency.

By any chance, are you able to reproduce #300 on your [[OpenBSD]] platform?

#25 Updated by Yoann VANDOORSELAERE over 11 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

(In r10682) Add support for newer [[GnuTLS]] 2.2.0 session priority functions. When
the option is available, the user might specify TLS settings through
the "tls-options" configuration entry.

This additionally fix #299 (problem negotiating compression method
when connecting to Prelude-Manager).

#26 Updated by over 11 years ago

Replying to [comment:24 yoann]:

The workaround explicitly disable TLS deflate compression in the client. [[GnuTLS]] default settings is that deflate is not used, but for some reason, in your case, it seems to be marked as the default compression method, leading to a failure since Prelude-Manager is not configured to support it. I guess this probably have to do with the OSSEC zlib dependency.

By any chance, are you able to reproduce #300 on your [[OpenBSD]] platform?

yes, it was me who opened it...sorry i didn't have the time to upload the files requested, I was busy with #299 :)
I will add the files soon.

#27 Updated by Yoann VANDOORSELAERE almost 11 years ago

  • Project changed from PRELUDE SIEM to Libprelude
  • Category deleted (1)
  • Target version deleted (0.9.18)

Also available in: Atom PDF