[Openvas-discuss] Trouble connecting to scanner

Hani Benhabiles hani.benhabiles at greenbone.net
Fri Jun 20 12:53:52 CEST 2014


On 2014-06-20 10:32, Abelardo Ricart wrote:
> I'm part of an effort to package OpenVAS for Arch Linux, but we can't
> seem to get it working.
>

Which version ?

> Here's the relevant output of openvas-check-setup:
> ERROR: The number of NVTs in the OpenVAS Manager database is too 
> lowFIX:
> Make sure OpenVAS Scanner is running with an up-to-date NVT 
> collection
> and run 'openvasmd --rebuild'.
>
> Attempting to run openvasmd --rebuild fails with:
> Rebuilding NVT cache... failed.
>
> And in openvasmd.log we have this:
> Failed to shake hands with peer: The TLS connection was non-properly
> terminated.

Probable guess: Certificates issue, maybe ?

> update_or_rebuild_nvt_cache: failed to connect to scanner
> Failed to gnutls_bye: GnuTLS internal error.
>
> Attempting to connect to openvassd with gnutls-cli-debug gives us:
> Resolving '127.0.0.1'...
> Connecting to '127.0.0.1:9391'...
> Checking for SSL 3.0 support... no
> Checking whether %COMPAT is required... yes
> Checking for TLS 1.0 support... no
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.2 support... no
> Checking whether we need to disable TLS 1.2... yes
>
> Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 
> 1.2
>
> We are using GnuTLS 3.3.4
>
> Any ideas?
>
>

gnutls-cli-debug is more confusing then anything else in this case as 
it fails to connect because it doesn't provides any certificates (you 
can verify the SSL handshake with Wireshark, for instance.)


What you need to test is something like this:
gnutls-cli --x509cafile /usr/var/lib/openvas/CA/cacert.pem 
--x509certfile /usr/var/lib/openvas/CA/clientcert.pem --x509keyfile 
/usr/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391 
localhost

(You may send "< OTP/2.0 >\n" to be sure of correct data exchange.)

Adjust parameters for your certificates' paths, bind port etc,.



More information about the Openvas-discuss mailing list