[Openvas-discuss] OPENVASMD 9390/TCP Weak Ciphers

Reindl Harald h.reindl at thelounge.net
Mon May 26 12:39:50 CEST 2014



Am 26.05.2014 12:14, schrieb Hani Benhabiles:
> On 2014-05-25 16:41, Reindl Harald wrote:
>> Am 25.05.2014 12:51, schrieb Michael Meyer:
>>> *** Reindl Harald wrote:
>>>> Am 25.05.2014 12:38, schrieb Michael Meyer:
>>>>> *** Reindl Harald wrote:
>>>>>
>>>>>> and pretty sure also can't test modern ciphers
>>>>>> on target systems using whatever software with OpenSSL
>>>>>
>>>>> Pretty sure isn't the same as knowing. You are again wrong
>>>>
>>>> how are you doing that if your own library does not support
>>>> it?
>>>
>>> We just don't use a library for the cipher check. See
>>> secpod_ssl_ciphers.inc to understand how it works.
>>
>> the cipher check itself is only one piece
>>
>> scanning a website offering only PFS a forcing encryption
>> is just impossible because you can't get any http-connection
>> to try attacks against the web application behind
>>
>> i have two internal sites here only allowing DHE/ECDHE because
>> they are not public reachable which does not mean secure them
>> internally don't matter
> 
> As I stated earlier:
> 
> DHE ===> Only GnuTLS 2.x is required (+ --dh-params, for the server daemons.)
> 
> ECDHE/ECDSA ===> Link against GnuTLS 3.x. That's it

you hardly can do that one package management driven systems
and the reason for switched to CentOS *was GNUTLS* because it
was impossible to get GSAD running on Fedora with recent
GnuTLS/libmicrohttp the whole year 2012

[root at openvas:~]$ rpm -q gnutls
gnutls-2.8.5-13.el6_5.x86_64

[root at openvas:~]$ cat /etc/redhat-release
CentOS release 6.5 (Final)

> GSAD by default is picking TLS_ECDHE_RSA_WITH_AES_128_GCM_256 with
> my fully updated FireFox.

impossible on most systems as explained above

> You are free to use --gnutls-priorities to customize
> the supported ciphersuites list

and why OpenVas 6 / GSA 4 are not doing that as default?

Firefox is using AES128-CBC-SHA1 here and modify the sysvinit script
is a damned bad idea because it get overwritten at every update


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20140526/76b683f2/attachment.asc>


More information about the Openvas-discuss mailing list