On 2014-05-25 16:41, Reindl Harald wrote:
Am 25.05.2014 12:51, schrieb Michael Meyer:
*** Reindl Harald wrote:
Am 25.05.2014 12:38, schrieb Michael Meyer:
*** Reindl Harald wrote:
and pretty sure also can't test modern ciphers
on target systems using whatever software with OpenSSL
Pretty sure isn't the same as knowing. You are again wrong
how are you doing that if your own library does not support
it?
We just don't use a library for the cipher check. See
secpod_ssl_ciphers.inc to understand how it works.
the cipher check itself is only one piece
scanning a website offering only PFS a forcing encryption
is just impossible because you can't get any http-connection
to try attacks against the web application behind
i have two internal sites here only allowing DHE/ECDHE because
they are not public reachable which does not mean secure them
internally don't matter
As I stated earlier:
DHE ===> Only GnuTLS 2.x is required (+ --dh-params, for the server
daemons.)
ECDHE/ECDSA ===> Link against GnuTLS 3.x. That's it.
GSAD by default is picking TLS_ECDHE_RSA_WITH_AES_128_GCM_256 with my
fully updated FireFox. You are free to use --gnutls-priorities to
customize the supported ciphersuites list.
Whether the whole licensing stuff is solved (as Debian folks say) or
not is neither my domain of expertise nor something I would feel safe
giving advice about. But as of today, the issue is not in OpenVAS' code.
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
