Jan, Thanks for all your work in setting this up.
Could we discuss the OpenVAS/OpenSSL problem again? I can find several articles that claim we could use legally build OpenVAS on any OS that shipped OpenSSL with the OS. The OpenSSL site says that "the major Linux and BSD distributions" ship with OpenSSL. Could we restrict ourselves to these distributions? Do we need to distribute binary packages? Has anyone looked into the details of replacing OpenSSL with GNU/TLS? What OpenSSL functions are called? You said that the OpenSSL compatibility interface will not work. What work was done to test this? As to whether we could ship OpenVAS without SSL. I think that there are two general uses of SSL: 1. As part of the process of gathering information from scanned systems. 2. To encrypt the communications between the server and the client. I think we could forgo use 2 for V1.0. As for use 1, it all depends on what target systems we want V1.0 to scan. I assumed we would choose a small set of target systems (Windows, Debian, Web Server, RedHat, Solaris, MacOS, etc) and insure that we have both a solid server and a set of plugins that accurately probe these. We cannot let the perfect stop us from producing the good. I think we need to determine who we want to target V1.0 of OpenVAS at. We are never going to get done if we try to have 13,000 plugins and a system to support them at initial release. One of the targets for OpenVAS is for your company to have a tool that can be freely distributed to Germany companies. Could this be a reasonable starting point? So what systems are those companies running? I assume mostly Windows? Am I wrong? I think that once we say that we are scanning Windows systems for problems we will need to do a reasonably thorough job and keep doing it as new vulnerabilities develop. I think it will be better for the project to say "We don't scan Macs" that to sorta kinda scan them. If these targets require SSL then we will have answered your question. What are your thoughts? Norm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan-Oliver Wagner Sent: Monday, March 12, 2007 4:41 PM To: openvas-devel@wald.intevation.org Subject: [Openvas-devel] Start: replacing OpenSSL by GNU/TLS Hi, after the infrastructure is back, I'd like to see the coding works re-start. The major and most important task, IMHO, is to replace OpenSSL by GNU/TLS. There is no OpenSSL exception for the server part. It is therefore illegal to distribute binary packages. This should be motivation enough to help doing this job ;-) Please speak up if you offer help (coding, testing, sponsoring coders, ...). The intitial tasks I see so far are: - sync openvas-libraries with nessus-libraries - clean up openvas-libraries (renaming etc) - replace OpenSSL by OpenVAS (my tests last year showed that it will not be sufficient to apply the OpenSSL compatibility mode of GNU/TLS for openvas-server; probably this holds true for openvas-libraries as well). One question occured to me: Does it make sense at all to allow compilation without SSL? IMHO, SSL should be mandatory, but I'd be happy to stand corrected. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
