[Openvas-discuss] TLS error when trying to launch scan

Winfried Neessen neessen at cleverbridge.com
Thu Jul 16 15:50:23 CEST 2015


Hi, 

any other suggestions on how to troubleshoot this? It definetely seems to be 
GnuTLS related, but I am not able to figure out what happens. gnutls-cli is able 
to connect: 

% sudo gnutls-cli --x509cafile /usr/pkg/openvas/var/lib/openvas/CA/cacert.pem --x509certfile /usr/pkg/openvas/var/lib/openvas/CA/clientcert.pem --x509keyfile /usr/pkg/openvas/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391 localhost 
Processed 1 CA certificate(s). 
Processed 1 client X.509 certificates... 
Resolving 'localhost'... 
Connecting to '::1:9391'... 
Connecting to '127.0.0.1:9391'... 
- Certificate type: X.509 
- Got a certificate list of 1 certificates. 
- Certificate[0] info: 
- subject `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Server certificate for netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,EMAIL=openvassd at netscan.cgn.cleverbridge.com', issuer `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Certification Authority for netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,EMAIL=ca at netscan.cgn.cleverbridge.com', RSA key 4096 bits, signed using RSA-SHA256, activated `2015-07-14 12:40:08 UTC', expires `2016-07-13 12:40:08 UTC', SHA-1 fingerprint `03d157c0bb49caff86e9494862bbe72f17977b52' 
Public Key ID: 
4917ebe77e2ec221116f0210458c9d27fee3e97a 
Public key's random art: 
+--[ RSA 4096]----+ 
| oOo. . | 
| . * o o | 
| . +.oo | 
| ..o+o | 
| .S+. . | 
| + .o | 
| . = .. | 
| E o.. . | 
| .+. ..+. | 
+-----------------+ 

- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed... 
- Successfully sent 1 certificate(s) to server. 
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) 
- Session ID: D7:4B:24:A4:55:5B:75:17:ED:3E:96:65:7A:72:31:FB:F7:E1:A6:AD:55:9F:69:5A:F6:AC:B7:C0:CF:A5:B8:02 
- Ephemeral EC Diffie-Hellman parameters 
- Using curve: SECP256R1 
- Curve size: 256 bits 
- Version: TLS1.2 
- Key Exchange: ECDHE-RSA 
- Server Signature: RSA-SHA256 
- Client Signature: RSA-SHA256 
- Cipher: AES-128-GCM 
- MAC: AEAD 
- Compression: NULL 
- Options: extended master secret, safe renegotiation, 
- Handshake was completed 

- Simple Client Mode: 

Any help is highly appreciated. 

Winni 

> From: "Eero Volotinen" <eero.volotinen at iki.fi>
> To: "Winfried Neessen" <neessen at cleverbridge.com>
> Cc: "openvas-discuss" <openvas-discuss at wald.intevation.org>
> Sent: Tuesday, July 14, 2015 3:56:03 PM
> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

> Try restarting services again.sounds like (new) certificates are not loaded to
> services.
> 14.7.2015 4.10 ip. "Winfried Neessen" < neessen at cleverbridge.com > kirjoitti:

>> Hi,

>> my redis-server is running. Also I doubt that this has s. th. to do with redis,
>> as the error says something
>> about a non-properly terminated TLS connection.

>> So I did a strace on the openvassd and found some messages about an untrusted
>> certificate. I then recreated
>> the CA, server and client certificates via openvas-mkcert -f and
>> openvas-mkcert-client -i -n and restarted
>> the services.

>> Now when I try to resume the job, it always tells me: 503 Service temporarly
>> down in the notice box of
>> GSA.

>> Any other suggestions?

>> Thanks
>> Winni

>>> From: "Eero Volotinen" < eero.volotinen at iki.fi >
>>> To: "Winfried Neessen" < neessen at cleverbridge.com >
>>> Cc: "openvas-discuss" < openvas-discuss at wald.intevation.org >
>>> Sent: Tuesday, July 14, 2015 12:10:47 PM
>>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

>>> Check your redis-server configuration.
>>> 14.7.2015 1.09 ip. "Winfried Neessen" < neessen at cleverbridge.com > kirjoitti:

>>>> Hi,

>>>> I am trying to launch a scan in my OpenVAS instance. Once I press the
>>>> "play"-button, it says
>>>> "Requested" but after a second it already says: "Stopped at 1%". The
>>>> openvasmd.log says:

>>>> md main:WARNING:2015-07-14 10h06.49 UTC:24191: openvas_scanner_read: failed to
>>>> read from server: The TLS connection was non-properly terminated.
>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Status of task Test network
>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Requested
>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Task
>>>> 2fa50913-5928-4122-91a6-0c5251ecce56 has been resumed by wneessen
>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: openvas_scanner_read: failed to
>>>> read from server: The specified session has been invalidated for some reason.
>>>> event task:MESSAGE:2015-07-14 10h06.51 UTC:24193: Status of task Test network
>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Stopped
>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: sql_close: attempt to close db
>>>> with open statement(s)

>>>> Any idea what to do?

>>>> Thanks
>>>> Winni

>>>> _______________________________________________
>>>> Openvas-discuss mailing list
>>>> Openvas-discuss at wald.intevation.org
>>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>> _______________________________________________
>> Openvas-discuss mailing list
>> Openvas-discuss at wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20150716/5f9d7017/attachment.html>


More information about the Openvas-discuss mailing list