Hi, On 02.06.2017 14:25, Thijs Stuurman wrote: > OpenVAS discuss, > > Sharing a bit of experience. > > With my recent upgrade from 8 to 9 I also disabled my Apache proxy which > enforced some TLS and http header hardening in front of GSAD. > GSAD improved a lot on this front, ++ for the developers! It did however give > me one medium finding: > > """ > Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol: > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) > TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) > """
this is the expected behavior. The GSA is using the default GnuTLS priorities of your system for the reason explained here: > That is, applications should use the default settings (c.f. gnutls_set_default_priority), and provide the user with access to priority strings for overriding the default behavior, on configuration files, or other UI. Following such a principle, makes the GnuTLS library as the default settings provider. That is necessary and a good practice, because TLS protocol hardening and phasing out of legacy algorithms, is easier to co-ordinate when happens in a single library. -> https://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fset_005fdefault_005fpriority > To fix this I further restricted the TLS configuration for GSAD by adding > "--gnutls-priorities=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-CBC" Personally i'm currently using the following priority string: --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0" > My start script uses the following: > > /opt/openvas9/sbin/openvasmd -p 9390 -a 127.0.0.1 > /opt/openvas9/sbin/gsad -p 443 --listen=0.0.0.0 --mlisten=127.0.0.1 > --mport=9390 --ssl-private-key=/xxx.key --ssl-certificate=/xxx.crt --http-sts > --gnutls-priorities="NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-CBC" > > I haven't added some options because they are enabled by default. > Not using chroot because .. I don't know to be honest but I got everything > else locked down quite well. > Nmap results: > > """ > root@scanner001:~# nmap -Pn -p 443 --script=ssl-enum-ciphers 10.xxx.xxx.xxx > > Starting Nmap 5.51 ( http://nmap.org ) at 2017-06-02 13:43 CEST > Nmap scan report for 10.xxx.xxx.xx > Host is up (0.00023s latency). > PORT STATE SERVICE > 443/tcp open https > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (2) > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | Compressors (1) > |_ uncompressed > """ Regards, > Thijs Stuurman > Security Operations Center | KPN Internedservices > thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com > T: +31(0)299476185 | M: +31(0)624366778 > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 > > W: https://www.internedservices.nl | L: > http://nl.linkedin.com/in/thijsstuurman > > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss