Investigate and adapt the server certificate validation using the API provided by the OS on macOS.

[Nicogp]

Related issue
#389

Description

As a complement to issue #389 it is necessary to investigate the use of CA certificates in macOS and if necessary, adapt the code so that the validation of server certificates is performed through the API provided by the OS.

Certificate validation in macOS should follow the same logic as in #389:

• full (default):
  • Validates that the server certificate is signed by a trusted CA.
  • Ensures the server hostname matches the certificate's SAN or CN.
• certificate:
  • Validates that the server certificate is signed by a trusted CA.
  • Does not validate the server hostname.
• none:
  • Disables all certificate validation.
  • No checks are performed on the certificate's CA signature or the server hostname.
    Note: This mode disables critical SSL/TLS security features and is not recommended for production environments.

[Nicogp]

Work update

2024/12/30

• I started with the issue
• I set up an environment with macOS sonoma
• I tested the current changes, and as expected it is failing validation since, like Windows, openssl does not access the OS CA store by default.
  

2025/01/02

• I added a first version of the validation by consulting the macOS CA store.
• I performed some tests for the agent registration case, so far the result is as expected (server configured with certificate created with a wrong ip):

test@tests-Mac build % ./wazuh-agent --register-agent --user wazuh --password wazuh --url https://192.168.0.177:55000 --verification-mode full --config-file wazuh-agent.yml
Starting wazuh-agent registration
[2025-01-02 15:29:21.809] [wazuh-agent] [error] [ERROR] [https_socket_verify_utils_mac.cpp:104] [VerifyCertificate] The hostname does not match the certificate's SAN or CN.
[2025-01-02 15:29:21.809] [wazuh-agent] [error] [ERROR] [http_client.cpp:415] [PerformHttpRequestInternal] Error: Error connecting to host: certificate verify failed (SSL routines)
[2025-01-02 15:29:21.810] [wazuh-agent] [warning] [WARN] [http_client.cpp:334] [AuthenticateWithUserPassword] Error: 500.
Failed to authenticate with the manager
wazuh-agent registration failed
test@tests-Mac build % ./wazuh-agent --register-agent --user wazuh --password wazuh --url https://192.168.0.177:55000 --verification-mode certificate --config-file wazuh-agent.yml
Starting wazuh-agent registration
wazuh-agent registered

2025/01/03

• I have done more tests
• I made some corrections
• Then I have done more in-depth testing for both the registration case and the agent connection. Both have been satisfactory