Am 26.05.2014 12:14, schrieb Hani Benhabiles: > On 2014-05-25 16:41, Reindl Harald wrote: >> Am 25.05.2014 12:51, schrieb Michael Meyer: >>> *** Reindl Harald wrote: >>>> Am 25.05.2014 12:38, schrieb Michael Meyer: >>>>> *** Reindl Harald wrote: >>>>> >>>>>> and pretty sure also can't test modern ciphers >>>>>> on target systems using whatever software with OpenSSL >>>>> >>>>> Pretty sure isn't the same as knowing. You are again wrong >>>> >>>> how are you doing that if your own library does not support >>>> it? >>> >>> We just don't use a library for the cipher check. See >>> secpod_ssl_ciphers.inc to understand how it works. >> >> the cipher check itself is only one piece >> >> scanning a website offering only PFS a forcing encryption >> is just impossible because you can't get any http-connection >> to try attacks against the web application behind >> >> i have two internal sites here only allowing DHE/ECDHE because >> they are not public reachable which does not mean secure them >> internally don't matter > > As I stated earlier: > > DHE ===> Only GnuTLS 2.x is required (+ --dh-params, for the server daemons.) > > ECDHE/ECDSA ===> Link against GnuTLS 3.x. That's it
you hardly can do that one package management driven systems and the reason for switched to CentOS *was GNUTLS* because it was impossible to get GSAD running on Fedora with recent GnuTLS/libmicrohttp the whole year 2012 [root@openvas:~]$ rpm -q gnutls gnutls-2.8.5-13.el6_5.x86_64 [root@openvas:~]$ cat /etc/redhat-release CentOS release 6.5 (Final) > GSAD by default is picking TLS_ECDHE_RSA_WITH_AES_128_GCM_256 with > my fully updated FireFox. impossible on most systems as explained above > You are free to use --gnutls-priorities to customize > the supported ciphersuites list and why OpenVas 6 / GSA 4 are not doing that as default? Firefox is using AES128-CBC-SHA1 here and modify the sysvinit script is a damned bad idea because it get overwritten at every update
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
