OpenVAS discuss, Sharing a bit of experience.
With my recent upgrade from 8 to 9 I also disabled my Apache proxy which enforced some TLS and http header hardening in front of GSAD. GSAD improved a lot on this front, ++ for the developers! It did however give me one medium finding: """ Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) """ To fix this I further restricted the TLS configuration for GSAD by adding "--gnutls-priorities=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-CBC" My start script uses the following: /opt/openvas9/sbin/openvasmd -p 9390 -a 127.0.0.1 /opt/openvas9/sbin/gsad -p 443 --listen=0.0.0.0 --mlisten=127.0.0.1 --mport=9390 --ssl-private-key=/xxx.key --ssl-certificate=/xxx.crt --http-sts --gnutls-priorities="NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-CBC" I haven't added some options because they are enabled by default. Not using chroot because .. I don't know to be honest but I got everything else locked down quite well. Nmap results: """ root@scanner001:~# nmap -Pn -p 443 --script=ssl-enum-ciphers 10.xxx.xxx.xxx Starting Nmap 5.51 ( http://nmap.org ) at 2017-06-02 13:43 CEST Nmap scan report for 10.xxx.xxx.xx Host is up (0.00023s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2 | Ciphers (2) | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | Compressors (1) |_ uncompressed """ Thijs Stuurman Security Operations Center | KPN Internedservices [email protected] | [email protected] T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl | L: http://nl.linkedin.com/in/thijsstuurman _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
