Norm,
On Tuesday 13 March 2007 03:05, Norm Donovan wrote:
> Could we discuss the OpenVAS/OpenSSL problem again?
of course :-)
> I can find several articles that claim we could use legally build OpenVAS
> on any OS that shipped OpenSSL with the OS. The OpenSSL site says that
> "the major Linux and BSD distributions" ship with OpenSSL. Could we
> restrict ourselves to these distributions?
IMHO, we must also consider the interpretation of FSF and of Tenable.
FSF clearly says it is imcompatible. I guess Tenable will insist on this fact
as well.
> Do we need to distribute binary packages?
Yes. For general take up, this is very important. Else OpenVAS can not
be integrated into GNU/Linux distributions. Yes, I regard it illegal that
Nessus is currently integrated into Debian, SUSE, etc.
> Has anyone looked into the details of replacing OpenSSL with GNU/TLS? What
> OpenSSL functions are called? You said that the OpenSSL compatibility
> interface will not work. What work was done to test this?
In fact I simply tried it: I modified the configure and compilation
environment to use GNU/TLS instead of OpenSSL. I started to fix
any occurance of compilation error and learned that many OpenSSL
functions are used that are not covered by the compatibility layer.
> As to whether we could ship OpenVAS without SSL. I think that there are
> two general uses of SSL: 1. As part of the process of gathering
> information from scanned systems. 2. To encrypt the communications between
> the server and the client. I think we could forgo use 2 for V1.0. As for
> use 1, it all depends on what target systems we want V1.0 to scan. I
> assumed we would choose a small set of target systems (Windows, Debian, Web
> Server, RedHat, Solaris, MacOS, etc) and insure that we have both a solid
> server and a set of plugins that accurately probe these.
my hope is that for 1.0, both uses of SSL could be replaced.
But you are right, "2." is the part we should start with.
> We cannot let the perfect stop us from producing the good.
absolutely.
> I think we need to determine who we want to target V1.0 of OpenVAS at. We
> are never going to get done if we try to have 13,000 plugins and a system
> to support them at initial release. One of the targets for OpenVAS is for
> your company to have a tool that can be freely distributed to Germany
> companies. Could this be a reasonable starting point? So what systems are
> those companies running? I assume mostly Windows? Am I wrong? I think
> that once we say that we are scanning Windows systems for problems we will
> need to do a reasonably thorough job and keep doing it as new
> vulnerabilities develop. I think it will be better for the project to say
> "We don't scan Macs" that to sorta kinda scan them. If these targets
> require SSL then we will have answered your question.
I regard Windows as important targets. There are simply too many out there.
The plugin discussion is very important, but I would like
to de-couple it from the OpenVAS 1.0 release plan.
For this release plan I actually only see cleanup and OpenSSL replacement.
Last your some OpenVAS guys collected all plugins that could be regarded
clearly as GNU GPL. This would be a good start though I confess it is not
enterprise ready. Maybe another group could be formed to care about the
plugin strategy just like we did at the OpenVAS DevCon1.
Best
Jan
--
Dr. Jan-Oliver Wagner Intevation GmbH
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
