[Openvas-discuss] Modifying the OpenVAS SSL config
Hello list, Can someone point me to the SSL configuration settings for OpenVAS 7? I would like to eliminate SSLv3 and specifiy the ciphers, but all i see in /etc/openvas/openvassd.conf is the settings for the Certificate files: # Certificates # cert_file= etc. thank you, K ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
Am 08.12.2014 um 19:03 schrieb Kevin Neely: Can someone point me to the SSL configuration settings for OpenVAS 7? I would like to eliminate SSLv3 and specifiy the ciphers, but all i see in /etc/openvas/openvassd.conf is the settings for the Certificate files: hardcoded - a design flaw signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
Am 08.12.2014 um 19:05 schrieb Reindl Harald: hardcoded - a design flaw not really: http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-November/007077.html ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
On 12/08/2014 10:15 AM, Chris wrote: Am 08.12.2014 um 19:05 schrieb Reindl Harald: hardcoded - a design flaw not really: http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-November/007077.html Thank you for the answers, this helps quite a bit. Is there any further information on the proper syntax for 'gsad --gnutls-priorities=' ? Does it take the SSLCipherSuite syntax used by Apache's mod_ssl? For example, the article shows: gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 However, in my limited understanding of POODLE, SSLv3 using CBC ciphers are vulnerable to that MITM attack. thank you, K ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
On 2014-12-08 19:13, Kevin Neely wrote: On 12/08/2014 10:15 AM, Chris wrote: Am 08.12.2014 um 19:05 schrieb Reindl Harald: hardcoded - a design flaw not really: http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-November/007077.html Thank you for the answers, this helps quite a bit. Is there any further information on the proper syntax for 'gsad --gnutls-priorities=' ? Does it take the SSLCipherSuite syntax used by Apache's mod_ssl? For example, the article shows: gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 However, in my limited understanding of POODLE, SSLv3 using CBC ciphers are vulnerable to that MITM attack. thank you, K It uses the GnuTLS priority string syntax: http://gnutls.org/manual/html_node/Priority-Strings.html Keep in mind the difference/additions between GnuTLS 3.x and 2.x (The former provides a wider range of ciphersuites, as well as syntax keywords...) ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
Hi, For example, the article shows: gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 However, in my limited understanding of POODLE, SSLv3 using CBC ciphers are vulnerable to that MITM attack. SSLv3 is disabled via the: -VERS-SSL3.0 string. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
Am 08.12.2014 um 19:15 schrieb Chris: Am 08.12.2014 um 19:05 schrieb Reindl Harald: hardcoded - a design flaw not really: http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-November/007077.html such settings belong in a config file, otherwise if you install from packages the modified sysvinit script get overwritten until you are on systemd based distributions where you can place your units in /etc/systemd/system signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Knowledge base isn't being saved after a scan
Is there an easy way to downgrade the scanner to 3.3 or 3.4? When I did sudo yum downgrade openvas-scanner-3.3.1-4.el6.art, it succeeded, but trying to start the scanner service complains with '/usr/sbin/openvassd: error while loading shared libraries: libopenvas_misc.so.5: cannot open shared object file: No such file or directory.' I'm assuming it wants the 5.x version of the openvas-libraries package, but it looks like only 3.0.3 and 7.0.x are available in my repositories (Including Atomic), and the project files at http://wald.intevation.org/frs/?group_id=29 only go back to 6.0 for the libraries. -Original Message- From: matthew.mund...@greenbone.net [mailto:matthew.mund...@greenbone.net] Sent: Tuesday, December 02, 2014 11:34 PM To: Wiza, David Cc: openvas-discuss@wald.intevation.org Subject: Re: [Openvas-discuss] Knowledge base isn't being saved after a scan Hmm...If that's the case, then that's a pretty significant change that should have been put into the update notes when it was released. Also, if KB saving has been removed, then the save_kb option should be removed too, as setting it to yes won't do anything. From openvas-scanner/CHANGES: openvas-scanner 4.0.0 (2014-04-10) ... * Support for Knowledge Base saving outside of network scans has been removed. ... So you should still have it. The preference is save_knowledge_base, by the way. Maybe try OpenVAS-7 anyway? -- Greenbone Networks GmbH Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
[Openvas-discuss] (no subject)
Hello, I am facing a problem in openvas-setup if anyone could help me please. following is the problem:: @localhost /]# openvas-setup Openvas Setup, Version: 0.5 Step 1: Update NVT's and SCAP data Please note this step could take some time. Once completed, NVT's and SCAP data will be updated automatically every 24 hours Updating NVTs [i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'. [i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'. [i] Online information about this feed: ' http://www.openvas.org/openvas-nvt-feed.html'. [i] NVT dir: /var/lib/openvas/plugins rsync: failed to connect to feed.openvas.org (78.47.251.61): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9] [e] Error: rsync failed. regards, rahul ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
[Openvas-discuss] problem installing openvas in centos7
hi all following is the issue:: [root@localhost /]# openvas-setup Openvas Setup, Version: 0.5 Step 1: Update NVT's and SCAP data Please note this step could take some time. Once completed, NVT's and SCAP data will be updated automatically every 24 hours Updating NVTs [i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'. [i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'. [i] Online information about this feed: ' http://www.openvas.org/openvas-nvt-feed.html'. [i] NVT dir: /var/lib/openvas/plugins rsync: failed to connect to feed.openvas.org (78.47.251.61): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9] [e] Error: rsync failed. [root@localhost /]# openvas-check-setup openvas-check-setup 2.2.1 Test completeness and readiness of OpenVAS-6 (add '--v4', '--v5' or '--v7' if you want to check for another OpenVAS version) Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Use the parameter --server to skip checks for client tools like GSD and OpenVAS-CLI. Step 1: Checking OpenVAS Scanner ... ERROR: OpenVAS Scanner too old or too new: 4.0.5 FIX: Please install OpenVAS Scanner 3.4. ERROR: Your OpenVAS-6 installation is not yet complete! Please follow the instructions marked with FIX above and run this script again. If you think this result is wrong, please report your observation and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem. [root@localhost /]# openvas-certdata-sync [i] This script synchronizes a CERT advisory directory with the OpenVAS one. [i] CERT dir: /var/lib/openvas/cert-data [i] Will use rsync [i] Using rsync: /usr/bin/rsync [i] Configured CERT data rsync feed: rsync://feed.openvas.org:/cert-data rsync: failed to connect to feed.openvas.org (78.47.251.61): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9] Error: rsync failed. Your CERT data might be broken now. NOTE: tried --curl --wget for cert data and scapdata but the result is same. [root@localhost /]# openvas-scapdata-sync [i] This script synchronizes a SCAP data directory with the OpenVAS one. [i] SCAP dir: /var/lib/openvas/scap-data [i] Will use rsync [i] Using rsync: /bin/rsync [i] Configured SCAP data rsync feed: rsync://feed.openvas.org:/scap-data rsync: failed to connect to feed.openvas.org (78.47.251.61): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9] [e] Error: rsync failed. Your SCAP data might be broken now. apart from this when logging into gsd in web browser it prompts :: login failed omp service is down. If anyone could please help me with this, Any valuable input is highly appreciated. Thanks regards, rahul ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] problem installing openvas in centos7
Hi, rsync: failed to connect to feed.openvas.org[http://feed.openvas.org] (78.47.251.61): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9] [e] Error: rsync failed. just tested this and works as expected. Are you able to ping this system? [root@localhost /]# openvas-check-setup openvas-check-setup 2.2.1 Test completeness and readiness of OpenVAS-6 (add '--v4', '--v5' or '--v7' if you want to check for another OpenVAS version) Please update to the latest openvas-check-setup 2.2.6: https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup wich now defaults to OpenVAS-7 (which you're probably using). ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Modifying the OpenVAS SSL config
Hi, such settings belong in a config file, otherwise if you install from packages the modified sysvinit script get overwritten until you are on systemd based distributions where you can place your units in /etc/systemd/system sure it could be useful to have such a setting in a config file. But as far as i can see there is still no hardcoded cipher list as you have written in your initial post. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss