A more descriptive message for SSL error when agent-auth fails

[juan70]

Hi, Team,

This PR should fix the issue #2905.

Problem description

When remoted is configured to use protocol tcp in the manager's ossec.conf:

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

registering the agent on the remoted port (by accident, by error, for testing purposes) returns a very generic message:

# /var/ossec/bin/agent-auth -m 172.16.1.2 -p 1514 -P TopSecret
2019/03/25 18:18:04 agent-auth: INFO: Started (pid: 5408).
2019/03/25 18:18:04 agent-auth: ERROR: SSL error (-1). Exiting.

Problem explanation

The code in src/os_auth/main-client.c in v3.9 reads:

333     /* Connect via TCP */
334     sock = OS_ConnectTCP(port, ipaddress, 0);
335     if (sock <= 0) {
336         merror("Unable to connect to %s:%d", ipaddress, port);
337         free(buf);
338         exit(1);
339     }
340 
341     /* Connect the SSL socket */
342     ssl = SSL_new(ctx);
343     sbio = BIO_new_socket(sock, BIO_NOCLOSE);
344     SSL_set_bio(ssl, sbio, sbio);
345 
346     ret = SSL_connect(ssl);
347     if (ret <= 0) {
348         ERR_print_errors_fp(stderr);
349         merror("SSL error (%d). Exiting.", ret);
350         free(buf);
351         exit(1);
352     }

1. OS_ConnectTCP() (line 334) returns a valid socket because the port is open.
2. SSL_Connect() (line 346) returns -1 because remoted can't handle the message. On the manager, ossec.log gets a warning message such as this one:

2019/03/27 12:58:39 ossec-remoted: WARNING: Too big message size from 192.168.56.114 [12].

Solution

As decribed in a comment in the issue (#2905 (comment)), there is no easy way to get a descriptive message by just using the error functions provided by SSL.
So the easiest solution is to change the error message to something like:

SSL error (<SSL error code>). Connection refused by the manager. Maybe the port specified is incorrect. Exiting.

Testing

See below.

[juan70]

Testing

Setting up the manager's ossec.conf:

• remote section
  • change protocol to tcp
  • change port 1514 to 1524
• auth section
  • change port 1515 to 1525
  • use password
• set the password in /var/ossec/etc/authd.pass
• restart manager

Registering an agent on the new remoted port:

# /var/ossec/bin/agent-auth -m 192.168.56.113 -p 1524 -P TopSecret
2019/03/27 12:46:03 agent-auth: INFO: Started (pid: 15089).
2019/03/27 12:46:03 agent-auth: ERROR: SSL error (5). Connection refused by the manager. Maybe the port specified is incorrect. Exiting.

Registering on the standard remoted port:

# /var/ossec/bin/agent-auth -m 192.168.56.113 -p 1514 -P TopSecret
2019/03/27 12:46:14 agent-auth: INFO: Started (pid: 15090).
2019/03/27 12:46:14 agent-auth: ERROR: Unable to connect to 192.168.56.113:1514

The port is indeed not open in this configuration.

Registering on the new authd port:

# /var/ossec/bin/agent-auth -m 192.168.56.113 -p 1525 -P TopSecret
2019/03/27 12:46:21 agent-auth: INFO: Started (pid: 15091).
2019/03/27 12:46:21 agent-auth: INFO: Connected to 192.168.56.113:1525
2019/03/27 12:46:21 agent-auth: INFO: Using agent name as: deb9ag
2019/03/27 12:46:21 agent-auth: INFO: Send request to manager. Waiting for reply.
2019/03/27 12:46:21 agent-auth: INFO: Received response with agent key
2019/03/27 12:46:21 agent-auth: INFO: Valid key created. Finished.
2019/03/27 12:46:21 agent-auth: INFO: Connection closed.

Registration OK.

Control

Registering the agent on a manager with the standard configuration (default ports, no password, udp protocol for remoted):

# /var/ossec/bin/agent-auth -m 192.168.56.113
2019/03/27 12:54:08 agent-auth: INFO: Started (pid: 16723).
2019/03/27 12:54:08 agent-auth: INFO: No authentication password provided.
2019/03/27 12:54:08 agent-auth: INFO: Connected to 192.168.56.113:1515
2019/03/27 12:54:08 agent-auth: INFO: Using agent name as: deb9ag
2019/03/27 12:54:08 agent-auth: INFO: Send request to manager. Waiting for reply.
2019/03/27 12:54:08 agent-auth: INFO: Received response with agent key
2019/03/27 12:54:08 agent-auth: INFO: Valid key created. Finished.
2019/03/27 12:54:08 agent-auth: INFO: Connection closed.

Registration OK.

Protocol for remoted changed to tcp in the manager's ossec.conf, and registering on port 1514 (default for remoted):

# /var/ossec/bin/agent-auth -m 192.168.56.113 -p 1514
2019/03/27 12:58:39 agent-auth: INFO: Started (pid: 18355).
2019/03/27 12:58:39 agent-auth: INFO: No authentication password provided.
2019/03/27 12:58:39 agent-auth: ERROR: SSL error (5). Connection refused by the manager. Maybe the port specified is incorrect. Exiting.

Registration fails and this is OK.

Specifying port 1515 (default for authd):

# /var/ossec/bin/agent-auth -m 192.168.56.113 -p 1515
2019/03/27 12:59:36 agent-auth: INFO: Started (pid: 18356).
2019/03/27 12:59:36 agent-auth: INFO: No authentication password provided.
2019/03/27 12:59:36 agent-auth: INFO: Connected to 192.168.56.113:1515
2019/03/27 12:59:36 agent-auth: INFO: Using agent name as: deb9ag
2019/03/27 12:59:36 agent-auth: INFO: Send request to manager. Waiting for reply.
2019/03/27 12:59:36 agent-auth: INFO: Received response with agent key
2019/03/27 12:59:36 agent-auth: INFO: Valid key created. Finished.
2019/03/27 12:59:36 agent-auth: INFO: Connection closed.

Registration OK.

[chemamartinez]

Looks good!