Just to follow up on this , I am more certain that there is an issue with openvasmd I tried to connect to the openvas scanner using gnutls-cli and I got a proper handshake :
' |<2>| ASSERT: x509.c:1217 - The hostname in the certificate does NOT match '127.0.0.1' |<2>| ASSERT: mpi.c:609 |<2>| ASSERT: dn.c:1209 - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: -------- Original Message -------- Subject: handshake problems openvas server and manager From: Ali Khalfan <[email protected]> To: [email protected] Date: Mon Sep 24 2012 13:30:55 GMT+0300 (AST) > > I setup openvas scanner 3.3.1 on ubuntu 12.04.1 as well as the > certificates according to the default standards > > > I also setup openvas manager 3.0.3 and generate the default > certificates. I started the openvas server but couldn't get the manager > to connect to it. The log of openvasmd reports: > > lib serv:WARNING:2012-09-24 05h57.56 utc:3658: Failed to gnutls_bye: > GnuTLS internal error. > > lib serv:WARNING:2012-09-24 05h58.16 utc:3661: openvas_server_connect: > failed to shake hands with server: The TLS connection was non-properly > terminated. > > lib serv:WARNING:2012-09-24 05h58.16 utc:3661: Failed to gnutls_bye: > GnuTLS internal error. > > > I decided to try out a connection from the manager on gnutls-serv on > port 9393 and I got the following log from gnutls-serv which shows a > handshake failure : > > > > * Accepted connection from IPv4 127.0.0.1 port 50757 on Mon Sep 24 > 11:38:24 2012 > |<2>| ASSERT: gnutls_constate.c:695 > |<4>| REC[0x934c8a0]: Allocating epoch #1 > |<4>| REC[0x934c8a0]: Expected Packet[0] Handshake(22) with length: 1 > |<4>| REC[0x934c8a0]: Received Packet[0] Handshake(22) with length: 108 > |<4>| REC[0x934c8a0]: Decrypted Packet[0] Handshake(22) with length: 108 > |<3>| HSK[0x934c8a0]: CLIENT HELLO was received [108 bytes] > |<3>| HSK[0x934c8a0]: Client's version: 3.3 > |<2>| ASSERT: gnutls_db.c:326 > |<2>| ASSERT: gnutls_db.c:246 > |<2>| EXT[0x934c8a0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) > |<2>| EXT[0x934c8a0]: Parsing extension 'SIGNATURE ALGORITHMS/13' (16 bytes) > |<2>| EXT[SIGA]: rcvd signature algo (4.1) RSA-SHA256 > |<2>| EXT[SIGA]: rcvd signature algo (4.2) DSA-SHA256 > |<2>| EXT[SIGA]: rcvd signature algo (4.3) GOST R 34.10-94 > |<2>| EXT[SIGA]: rcvd signature algo (5.1) RSA-SHA384 > |<2>| EXT[SIGA]: rcvd signature algo (5.3) GOST R 34.10-94 > |<2>| EXT[SIGA]: rcvd signature algo (6.1) RSA-SHA512 > |<2>| EXT[SIGA]: rcvd signature algo (6.3) GOST R 34.10-94 > |<2>| ASSERT: gnutls_handshake.c:3348 > |<1>| Could not find an appropriate certificate: Insufficient > credentials for that request. > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA256 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA256 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA256 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA256 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_ARCFOUR_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_ARCFOUR_MD5 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA256 > |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA256 > |<2>| ASSERT: gnutls_handshake.c:921 > |<2>| ASSERT: gnutls_handshake.c:586 > |<2>| ASSERT: gnutls_handshake.c:2358 > |<2>| ASSERT: gnutls_handshake.c:2991 > Error in handshake > Error: Could not negotiate a supported cipher suite. > |<4>| REC: Sending Alert[2|40] - Handshake failed > |<4>| REC[0x934c8a0]: Sending Packet[0] Alert(21) with length: 2 > |<4>| REC[0x934c8a0]: Sent Packet[1] Alert(21) with length: 7 > |<2>| ASSERT: gnutls_record.c:276 > |<4>| REC[0x934c8a0]: Epoch #0 freed > |<4>| REC[0x934c8a0]: Epoch #1 freed > > > > With the simulated gnutls-serv openvasmd log shows a different > handshake error , albeit still related to gnutls > > > lib serv:WARNING:2012-09-24 08h31.48 utc:7430: Failed to gnutls_bye: > GnuTLS internal error. > > lib serv:WARNING:2012-09-24 08h38.24 utc:7627: openvas_server_connect: > failed to shake hands with server: A TLS fatal alert has been received. > > lib serv:WARNING:2012-09-24 08h38.24 utc:7627: Failed to gnutls_bye: > GnuTLS internal error. > > > It seems there is some sort of certificate issue between openvasmd and > openvassd. > > > > > > > > _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
