[Openvas-devel] CR 45: OpenVAS-Scanner: add pausing of scans

Tim Brown timb at openvas.org
Tue Mar 16 10:03:14 CET 2010

On Friday 12 March 2010 14:44:15 Thomas Reinke wrote:
> Michael Meyer wrote:
> > *** Chandrashekhar B <bchandra at secpod.com> wrote:
> >>> On Friday 12 March 2010 10:06:42 Jan-Oliver Wagner wrote:
> >>>> * migrate ssl_ciphers to use GnuTLS
> >>> 
> >>> Is this the C check?  If so, I would prefer not to move to
> >>> GnuTLS.  GnuTLS is rather conservative in what ciphers it
> >>> supports and may therefore miss weak ciphers because it
> >>> doesn't support them rather than because the scanned service doesn't.
> >> 
> >> Yes, agree, let us invalidate this plugin and write in NASL.
> > 
> > But this means, do this check with GnuTLS because NASL is linked
> > against it. So this will not solve Tim's concern. Or am I mistaken?
> Didn't someone have a potential solution for this (Chandra?) suggesting
> ssl-enum?  I believe, IIRC, it was a tool set that tested for ALL
> ciphers and didn't need an SSL library to do so (went straight to the
> protocol level).  It was a C based tool, but it was not very
> complicated.  In either case, you could either make this tool
> available to be called from a nasl plugin, or with a bit more
> effort, duplicate the functionality in nasl. In both cases, you
> are not reliant on the scanner library's SSL cipher set limitations.

Me I think (I've mentioned it at various times since the last devcon), 
although Chandra may have picked up on it.  Different libraries support 
different cipher suites, my suggested GSoC project was to implement a script 
that can talk to servers built with each of them.  ssl-enum does this as do a 
couple of others.  My point was that in the mean time, replacing OpenSSL with 
GNU/TLS for this C plugin adds extreme regressions and that I disagreed that 
it should happen.

Tim Brown
<mailto:timb at openvas.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.wald.intevation.org/pipermail/openvas-devel/attachments/20100316/8435bf95/attachment.pgp

More information about the Openvas-devel mailing list