Re: [Openvas-discuss] handshake problems openvas server and manager

Ali Khalfan Thu, 04 Oct 2012 02:06:05 -0700

Not sure if anyone's following this mailing list ,

but I think there's a problem is in openvas_server.c file under the
libraries, possibly under the gnutls_handshake part



  new_action.sa_handler = SIG_IGN;
  if (sigaction (SIGPIPE, &new_action, &original_action))
    return -1;
#endif

  while (1)
    {
      ret = gnutls_handshake (*server_session);
      if (ret >= 0)
        break;
      if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
        continue;
      g_warning ("%s: failed to shake hands with server: %s\n",
__FUNCTION__,
                 gnutls_strerror (ret));
      if (shutdown (server_socket, SHUT_RDWR) == -1)







-------- Original Message --------
Subject: Re: handshake problems openvas server and manager
From: Ali Khalfan <[email protected]>
To: [email protected]
Date: Fri Sep 28 2012 20:07:41 GMT+0300 (AST)

> 
> Just to follow up on this , I am more certain that there is an issue
> with openvasmd  I tried to connect to the openvas scanner using
> gnutls-cli and I got a proper handshake :
> 
> '
> |<2>| ASSERT: x509.c:1217
> - The hostname in the certificate does NOT match '127.0.0.1'
> |<2>| ASSERT: mpi.c:609
> |<2>| ASSERT: dn.c:1209
> - Peer's certificate is trusted
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
> 
> - Simple Client Mode:
> 
> 
> 
> 
> 
> 
> 
> -------- Original Message --------
> Subject: handshake problems openvas server and manager
> From: Ali Khalfan <[email protected]>
> To: [email protected]
> Date: Mon Sep 24 2012 13:30:55 GMT+0300 (AST)
> 
>>
>> I setup openvas scanner 3.3.1 on ubuntu 12.04.1  as well as the
>> certificates according to the default standards
>>
>>
>> I also setup openvas manager 3.0.3 and generate the default
>> certificates.  I started the openvas server but couldn't get the manager
>> to connect to it.  The log of openvasmd reports:
>>
>> lib  serv:WARNING:2012-09-24 05h57.56 utc:3658:    Failed to gnutls_bye:
>> GnuTLS internal error.
>>
>> lib  serv:WARNING:2012-09-24 05h58.16 utc:3661: openvas_server_connect:
>> failed to shake hands with server: The TLS connection was non-properly
>> terminated.
>>
>> lib  serv:WARNING:2012-09-24 05h58.16 utc:3661:    Failed to gnutls_bye:
>> GnuTLS internal error.
>>
>>
>> I decided to try out a connection from the manager on gnutls-serv on
>> port 9393 and I got the following log from gnutls-serv which shows a
>> handshake failure :
>>
>>
>>
>> * Accepted connection from IPv4 127.0.0.1 port 50757 on Mon Sep 24
>> 11:38:24 2012
>> |<2>| ASSERT: gnutls_constate.c:695
>> |<4>| REC[0x934c8a0]: Allocating epoch #1
>> |<4>| REC[0x934c8a0]: Expected Packet[0] Handshake(22) with length: 1
>> |<4>| REC[0x934c8a0]: Received Packet[0] Handshake(22) with length: 108
>> |<4>| REC[0x934c8a0]: Decrypted Packet[0] Handshake(22) with length: 108
>> |<3>| HSK[0x934c8a0]: CLIENT HELLO was received [108 bytes]
>> |<3>| HSK[0x934c8a0]: Client's version: 3.3
>> |<2>| ASSERT: gnutls_db.c:326
>> |<2>| ASSERT: gnutls_db.c:246
>> |<2>| EXT[0x934c8a0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
>> |<2>| EXT[0x934c8a0]: Parsing extension 'SIGNATURE ALGORITHMS/13' (16 bytes)
>> |<2>| EXT[SIGA]: rcvd signature algo (4.1) RSA-SHA256
>> |<2>| EXT[SIGA]: rcvd signature algo (4.2) DSA-SHA256
>> |<2>| EXT[SIGA]: rcvd signature algo (4.3) GOST R 34.10-94
>> |<2>| EXT[SIGA]: rcvd signature algo (5.1) RSA-SHA384
>> |<2>| EXT[SIGA]: rcvd signature algo (5.3) GOST R 34.10-94
>> |<2>| EXT[SIGA]: rcvd signature algo (6.1) RSA-SHA512
>> |<2>| EXT[SIGA]: rcvd signature algo (6.3) GOST R 34.10-94
>> |<2>| ASSERT: gnutls_handshake.c:3348
>> |<1>| Could not find an appropriate certificate: Insufficient
>> credentials for that request.
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA256
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA256
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA256
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA256
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_ARCFOUR_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_ARCFOUR_MD5
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA256
>> |<3>| HSK[0x934c8a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA256
>> |<2>| ASSERT: gnutls_handshake.c:921
>> |<2>| ASSERT: gnutls_handshake.c:586
>> |<2>| ASSERT: gnutls_handshake.c:2358
>> |<2>| ASSERT: gnutls_handshake.c:2991
>> Error in handshake
>> Error: Could not negotiate a supported cipher suite.
>> |<4>| REC: Sending Alert[2|40] - Handshake failed
>> |<4>| REC[0x934c8a0]: Sending Packet[0] Alert(21) with length: 2
>> |<4>| REC[0x934c8a0]: Sent Packet[1] Alert(21) with length: 7
>> |<2>| ASSERT: gnutls_record.c:276
>> |<4>| REC[0x934c8a0]: Epoch #0 freed
>> |<4>| REC[0x934c8a0]: Epoch #1 freed
>>
>>
>>
>> With the simulated gnutls-serv  openvasmd log shows a different
>> handshake error , albeit still related to gnutls
>>
>>
>> lib  serv:WARNING:2012-09-24 08h31.48 utc:7430:    Failed to gnutls_bye:
>> GnuTLS internal error.
>>
>> lib  serv:WARNING:2012-09-24 08h38.24 utc:7627: openvas_server_connect:
>> failed to shake hands with server: A TLS fatal alert has been received.
>>
>> lib  serv:WARNING:2012-09-24 08h38.24 utc:7627:    Failed to gnutls_bye:
>> GnuTLS internal error.
>>
>>
>> It seems there is some sort of certificate issue between openvasmd and
>> openvassd.
>>
>>
>>
>>
>>
>>
>>
>>
_______________________________________________
Openvas-discuss mailing list
[email protected]
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] handshake problems openvas server and manager

Reply via email to