On 2014-05-26 11:39, Reindl Harald wrote:
Am 26.05.2014 12:14, schrieb Hani Benhabiles:
On 2014-05-25 16:41, Reindl Harald wrote:
Am 25.05.2014 12:51, schrieb Michael Meyer:
*** Reindl Harald wrote:
Am 25.05.2014 12:38, schrieb Michael Meyer:
*** Reindl Harald wrote:
and pretty sure also can't test modern ciphers
on target systems using whatever software with OpenSSL
Pretty sure isn't the same as knowing. You are again wrong
how are you doing that if your own library does not support
it?
We just don't use a library for the cipher check. See
secpod_ssl_ciphers.inc to understand how it works.
the cipher check itself is only one piece
scanning a website offering only PFS a forcing encryption
is just impossible because you can't get any http-connection
to try attacks against the web application behind
i have two internal sites here only allowing DHE/ECDHE because
they are not public reachable which does not mean secure them
internally don't matter
As I stated earlier:
DHE ===> Only GnuTLS 2.x is required (+ --dh-params, for the server
daemons.)
ECDHE/ECDSA ===> Link against GnuTLS 3.x. That's it
you hardly can do that one package management driven systems
and the reason for switched to CentOS *was GNUTLS* because it
was impossible to get GSAD running on Fedora with recent
GnuTLS/libmicrohttp the whole year 2012
[root@openvas:~]$ rpm -q gnutls
gnutls-2.8.5-13.el6_5.x86_64
[root@openvas:~]$ cat /etc/redhat-release
CentOS release 6.5 (Final)
GSAD by default is picking TLS_ECDHE_RSA_WITH_AES_128_GCM_256 with
my fully updated FireFox.
impossible on most systems as explained above
You are free to use --gnutls-priorities to customize
the supported ciphersuites list
and why OpenVas 6 / GSA 4 are not doing that as default?
Firefox is using AES128-CBC-SHA1 here and modify the sysvinit script
is a damned bad idea because it get overwritten at every update
ECDHE *is* default when using GnuTLS 3 (with a sane browser/client.)
and everything is solved/backported in OpenVAS (6, 7, trunk) as of
today.
Distributions' issue of packaging (I see it recently hit Debian SID
FWIW) and being stuck with GnuTLS 2.x for a long time (due to licensing
AFAICT) is another matter.
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
