I'm using Openvas 8 (atomic RPMs) on Centos 6. All my scans stop at 1%
with "Failed to gnutls_bye: Error in the push function."

For gnutls, I tried both the centos version (2.8.5) and the atomic
version (3.1.25) of the library and CLI. Is this merely a certificate
error, and if so, how do I fix? I have re-generated the certs and
received the same results. I have pointed openvasmd to both gnutls
versions with the same results too.

[myusername@myhostname ~]$ tail -10 /var/log/openvas/openvasmd.log
md manage:WARNING:2016-10-17 00h34.56 utc:19101: manage_schedule: child
failed
md manage:WARNING:2016-10-17 00h34.56 utc:19101: reschedule_task:
rescheduling task 'fcc20ed6-0ec1-472a-8505-03a7dc532b89'
lib  serv:WARNING:2016-10-16 20h34.56 EDT:19104:    Failed to
gnutls_bye: Error in the push function.
lib  serv:WARNING:2016-10-16 20h34.56 EDT:19106: openvas_server_verify:
the certificate is not trusted
lib  serv:WARNING:2016-10-16 20h34.56 EDT:19106: openvas_server_verify:
the certificate hasn't got a known issuer
event task:MESSAGE:2016-10-16 20h34.56 EDT:19106: Task Legacy DMZ Task
(03b3557d-ebc2-47a6-ac88-d3860d75f7ea) could not be started by admin
md manage:WARNING:2016-10-17 00h34.56 utc:19105: manage_schedule:
omp_start_task and omp_resume_task failed
lib  serv:WARNING:2016-10-16 20h34.56 EDT:19106:    Failed to
gnutls_bye: Error in the push function.
md manage:WARNING:2016-10-17 00h34.56 utc:19102: manage_schedule: child
failed
md manage:WARNING:2016-10-17 00h34.56 utc:19102: reschedule_task:
rescheduling task '03b3557d-ebc2-47a6-ac88-d3860d75f7ea'
[myusername@myhostname ~]$

[myusername@myhostname ~]$ rpm -qa| grep openv
openvas-smb-1.0.1-1.el6.art.x86_64
openvas-cli-1.4.4-10.el6.art.x86_64
openvas-scanner-5.0.7-25.el6.art.x86_64
openvas-1.0-17.el6.art.noarch
openvas-manager-6.0.9-36.el6.art.x86_64
openvas-libraries-8.0.8-25.el6.art.x86_64
[myusername@myhostname ~]$

[myusername@myhostname ~]$ gnutls-cli --version
gnutls-cli (GnuTLS) 2.8.5
...

[myusername@myhostname ~]$
/opt/atomic/atomic-gnutls3/root/usr/bin/gnutls-cli  --version
gnutls-cli 3.1.25
...

[myusername@myhostname ~]$ sudo
/opt/atomic/atomic-gnutls3/root/usr/bin/gnutls-cli --x509cafile
/var/lib/openvas/CA/cacert.pem --x509certfile
/var/lib/openvas/CA/clientcert.pem --x509keyfile
/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391 myhostname
2>&1 "< OTP/2.0 >\n" | more
Processed 1 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving 'myhostname'...
Connecting to '192.168.1.252:9391'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=DE,L=Berlin,O=OpenVAS Users United,OU=Server certificate
for myhostname,CN=myhostname,EMAIL=openvassd@myhostname',
issuer `C=DE,L=Berlin,O=OpenVAS Users United,OU=Certification Authority
for myhostname,CN=myhostname,EMAIL=ca@myhostname', RSA ke
y 4096 bits, signed using RSA-SHA256, activated `2016-10-14 20:03:26
UTC', expires `2017-10-14 20:03:26 UTC', SHA-1 fingerprint `a915c3b705c7
1e5c710eeadb041f6453e6fc3aab'
        Public Key Id:
                875ef6af274f348699d7cd2a944cf33ed7b8a21d
        Public key's random art:
                +--[ RSA 4096]----+
                |                 |
                |                 |
                |            o    |
                |         . o B o.|
                |        S + B * +|
                |       . + o = +.|
                |        .   E * o|
                |           .o=.+ |
                |          ..o*+  |
                +-----------------+

- Status: The certificate is trusted.
- Successfully sent 1 certificate(s) to server.
- Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)-(AEAD)
- Session ID:
2C:76:9D:9D:6A:30:25:3E:E2:BE:CE:9A:E5:2B:F2:8A:05:24:0C:0E:46:D8:45:FC:0D:03:A7:CB:E4:3E:F8:0A
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Client Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.



[myusername@myhostname ~]$ sudo gnutls-cli --x509cafile
/var/lib/openvas/CA/cacert.pem --x509certfile
/var/lib/openvas/CA/clientcert.pem --x509keyfile
/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391 myhostname
2>&1  | more
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Processed 1 CA certificate(s).
Resolving 'myhostname'...
Connecting to '192.168.1.252:9391'...
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
  - subject `C=DE,L=Berlin,O=OpenVAS Users United,OU=Server certificate
for myhostname,CN=myhostname,EMAIL=openvassd@myhostname',
issuer `C=DE,L=Berlin,O=OpenVAS Users United,OU=Certification Authority
for myhostname,CN=myhostname,EMAIL=ca@myhostname', RSA k
ey 4096 bits, signed using RSA-SHA256, activated `2016-10-14 20:03:26
UTC', expires `2017-10-14 20:03:26 UTC', SHA-1 fingerprint `a915c3b705c
71e5c710eeadb041f6453e6fc3aab'
- The hostname in the certificate matches 'myhostname'.
- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
[myusername@myhostname ~]$






[myusername@myhostname ~]$ openssl s_client -showcerts -connect
localhost:9391                                                            
CONNECTED(00000003)
depth=0 C = DE, L = Berlin, O = OpenVAS Users United, OU = Server
certificate for myhostname, CN = myhostname, emailAddress =
openvassd@myhostname
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, L = Berlin, O = OpenVAS Users United, OU = Server
certificate for myhostname, CN = myhostname, emailAddress =
openvassd@myhostname
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, L = Berlin, O = OpenVAS Users United, OU = Server
certificate for myhostname, CN = myhostname, emailAddress =
openvassd@myhostname
verify error:num=21:unable to verify the first certificate
verify return:1
140660756289352:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
Certificate chain
0 s:/C=DE/L=Berlin/O=OpenVAS Users United/OU=Server certificate for
myhostname/CN=myhostname/emailAddress=openvassd@myhostname
   i:/C=DE/L=Berlin/O=OpenVAS Users United/OU=Certification Authority
for myhostname/CN=myhostname/emailAddress=ca@myhostname
-----BEGIN CERTIFICATE-----
MIIHYTCCBUmgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrTELMAkGA1UEBhMCREUx
DzANBgNVBAcTBkJlcmxpbjEdMBsGA1UEChMUT3BlblZBUyBVc2VycyBVbml0ZWQx
...
pnhk9qxikKuIVlJBAdd6N7ZveBpIIaIFSDw30e8m4FdnrPPhtZEpq7bttOjapgEi
JbvV3Uvdo1Pck5FryAShhANsbEymaXJZ/epsCkQMUGborWx3htoKomhVCVk3KRYV
WeWCGjKrkdMnz+K/yN6xODY3IUsL
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/L=Berlin/O=OpenVAS Users United/OU=Server certificate for
myhostname/CN=myhostname/emailAddress=openvassd@myhostname
issuer=/C=DE/L=Berlin/O=OpenVAS Users United/OU=Certification Authority
for myhostname/CN=myhostname/emailAddress=ca@myhostname
---
Acceptable client certificate CA names
/C=DE/L=Berlin/O=OpenVAS Users United/OU=Certification Authority for
myhostname/CN=myhostname/emailAddress=ca@myhostname
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2892 bytes and written 206 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
285545FE4BE27A393AF24562FB483FB3767CDF3B9D743131E0737B221E6EC0D9
    Session-ID-ctx:
    Master-Key:
8398B75E257A761FED19CF47F5D3F9C439CFC4BFD361F705EB54D233449CF14E6B4718EE04B0DB536E51E4E684C2DF75
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1476663973
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
[myusername@myhostname ~]$

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to