On 2014-05-26 12:07, Reindl Harald wrote:
Am 26.05.2014 12:42, schrieb Hani Benhabiles:
On 2014-05-26 11:39, Reindl Harald wrote:
ECDHE/ECDSA ===> Link against GnuTLS 3.x. That's it
you hardly can do that one package management driven systems
and the reason for switched to CentOS *was GNUTLS* because it
was impossible to get GSAD running on Fedora with recent
GnuTLS/libmicrohttp the whole year 2012
[root@openvas:~]$ rpm -q gnutls
gnutls-2.8.5-13.el6_5.x86_64
[root@openvas:~]$ cat /etc/redhat-release
CentOS release 6.5 (Final)
GSAD by default is picking TLS_ECDHE_RSA_WITH_AES_128_GCM_256 with
my fully updated FireFox.
impossible on most systems as explained above
You are free to use --gnutls-priorities to customize
the supported ciphersuites list
and why OpenVas 6 / GSA 4 are not doing that as default?
Firefox is using AES128-CBC-SHA1 here and modify the sysvinit
script
is a damned bad idea because it get overwritten at every update
ECDHE *is* default when using GnuTLS 3 (with a sane browser/client.)
and everything is solved/backported in OpenVAS (6, 7, trunk) as of
today.
and why is DHE not default with GnuTLS 2
Because there is no such thing as "default" DH parameters to be used
for DHE by the server. Not with GnuTLS 2.x nor with GnuTLS 3.x...
Don't trust me ?
- Check openssl s_server's -dhparam
- Check gnutls's --dhparams
- Check nginx' ssl_dhparam configuration
- Check openvpn's --dh
etc,...
OpenVAS is compatible with both GnuTLS 2 and 3. Library version
provided by a certain distribution's version is outside the project's
scope.
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
