Re: [Openvas-discuss] Vulnerabilities OpenVAS

Thu, 22 Oct 2015 02:10:50 -0700 


Am 22.10.2015 um 09:58 schrieb Jan-Oliver Wagner:

On Dienstag, 20. Oktober 2015, Reindl Harald wrote:

Am 20.10.2015 um 14:15 schrieb Eero Volotinen:

You need to configure gnutls-priority string for each daemon, now you
just configured it for gsad (greenbone security assistant)


the main question remains why a vulnerability scanner complaining about
other services not at least starts with secure defaults itself without
user intervention


The local TLS installation defines the default regarded as secure.
Overriding it by default by a application just creates other
types of unwanted/surprising circumstances.

For example a system or a system administrator might have decided to
define a even stricter global /etc/gnutls/default-priorities.
Then OpenVAS might silently downgrade the chosen security level
if we set it to some value.

I agree that either way (not using system default by default and using
system default by default) shows disadvantages.
But calling it "pervert" because we honor system default by default seems
inadequate to me



system TLS defaults are mostly to never up-to-date and hence anybody who 
does not proper configure a webserver adn verify it against 
https://www.ssllabs.com/ssltest/ is doing things wrong



that's fine for a hobby administrator but not a piece of software having 
the same goal as ssllabs


eat your own dogfood!


that something is going wrong in that context also showed last year many 
months after heartbleed www.openvas.org was still vulnerable and the 
excuse was "some hobby administrator donated the hosting" which is no 
excuse at all - frankly i expect at least own domains are audited by the 
developers as well as their own software


here you go as exmaple with a httpd and RSA certificates

SSLProtocol All -SSLv2 -SSLv3
SSLFIPS Off
SSLCompression Off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLVerifyClient  none
SSLHonorCipherOrder On

SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM









Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss






















					Reply via email to