Am 25.05.2014 10:48, schrieb Hani Benhabiles: > On 2014-05-25 0:33, Reindl Harald wrote: >> Am 25.05.2014 01:12, schrieb Hani Benhabiles: >>> On 2014-05-23 21:13, Jason Garin wrote: >>>> Is there a way to disable weak ciphers used by gsad and openvasmd? >>> >>> Yes, see --gnutls-priorities and --dh-params cli arguments >> >> may i ask why there are no sane defaults and if you are aware >> that many browsers not supporting DHE ciphers while OpenVAS >> at least in V6 not supports ECDHE >> >> normally if a software scans other machines and services >> for PCI compliance the minimum is that itself is PCI >> compliant at the same time - practice what you preach > > For PFS support (using DH based algorithms) in GSA, the recently released > libmicrohttpd 0.9.35 is required to be > able to specify Diffie-Hellman parameters. > > For ECDHE and ECDSA, GnuTLS 3.x is needed. GnuTLS 2.x doesn't support those > (but you can add PFS support with > DHE-RSA which is supported in 2.x) > > IANAL, but the issue with GnuTLS seems to be a "GPLv2 only" problem (that was > solved recently ? [1]) but I can't > provide advice on this matter ;)
oh yeah the libmicrohttp / gnutls hell and openvas again that wasted a year of my lifetime trying to get openvas running on a recent operating system and now the same crap on a LTS distribution can't provide state of the art encryption the decisison to replace openssl by gnutls was plain wrong!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
