[Openvas-discuss] TLS error when trying to launch scan

Winfried Neessen neessen at cleverbridge.com
Thu Jul 16 16:46:13 CEST 2015


Hi again, 

sorry for the SPAM. I figured the issue and wanted to send the resolution to the 
group, in case someone has a similar problem. 

The problem was the scanner verification of the openvasmd. When I ran 
openvasmd --verify-scanner with the default scanner id, it said "failed" (this 
should be more verbose in my opinion, as "failed" is not helpful). 

So I used openvasmd --create-scanner to create a new local OpenVAS 
scanner instance and change my scan config to use this instead of the default 
one. This seems to have resolved the issue. 

I suggest, that the OpenVAS team adds a little better logging. It's very frustrating 
to spend two days troubleshooting because of missing/insufficient logging. 

Winni 

> From: "Winfried Neessen" <neessen at cleverbridge.com>
> To: "openvas-discuss" <openvas-discuss at wald.intevation.org>
> Sent: Thursday, July 16, 2015 3:52:40 PM
> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

> Holy moli...

> now that I saw my mail, I see the:

> - Status: The certificate is NOT trusted. The name in the certificate does not
> match the expected.

> warning. Looks like this might be the issue.

> Winni

>> From: "Winfried Neessen" <neessen at cleverbridge.com>
>> To: "openvas-discuss" <openvas-discuss at wald.intevation.org>
>> Sent: Thursday, July 16, 2015 3:50:23 PM
>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

>> Hi,

>> any other suggestions on how to troubleshoot this? It definetely seems to be
>> GnuTLS related, but I am not able to figure out what happens. gnutls-cli is able
>> to connect:

>> % sudo gnutls-cli --x509cafile /usr/pkg/openvas/var/lib/openvas/CA/cacert.pem
>> --x509certfile /usr/pkg/openvas/var/lib/openvas/CA/clientcert.pem --x509keyfile
>> /usr/pkg/openvas/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391
>> localhost
>> Processed 1 CA certificate(s).
>> Processed 1 client X.509 certificates...
>> Resolving 'localhost'...
>> Connecting to '::1:9391'...
>> Connecting to '127.0.0.1:9391'...
>> - Certificate type: X.509
>> - Got a certificate list of 1 certificates.
>> - Certificate[0] info:
>> - subject `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Server certificate for
>> netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,EMAIL=openvassd at netscan.cgn.cleverbridge.com',
>> issuer `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Certification Authority for
>> netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,EMAIL=ca at netscan.cgn.cleverbridge.com',
>> RSA key 4096 bits, signed using RSA-SHA256, activated `2015-07-14 12:40:08
>> UTC', expires `2016-07-13 12:40:08 UTC', SHA-1 fingerprint
>> `03d157c0bb49caff86e9494862bbe72f17977b52'
>> Public Key ID:
>> 4917ebe77e2ec221116f0210458c9d27fee3e97a
>> Public key's random art:
>> +--[ RSA 4096]----+
>> | oOo. . |
>> | . * o o |
>> | . +.oo |
>> | ..o+o |
>> | .S+. . |
>> | + .o |
>> | . = .. |
>> | E o.. . |
>> | .+. ..+. |
>> +-----------------+

>> - Status: The certificate is NOT trusted. The name in the certificate does not
>> match the expected.
>> *** PKI verification of server certificate failed...
>> - Successfully sent 1 certificate(s) to server.
>> - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
>> - Session ID:
>> D7:4B:24:A4:55:5B:75:17:ED:3E:96:65:7A:72:31:FB:F7:E1:A6:AD:55:9F:69:5A:F6:AC:B7:C0:CF:A5:B8:02
>> - Ephemeral EC Diffie-Hellman parameters
>> - Using curve: SECP256R1
>> - Curve size: 256 bits
>> - Version: TLS1.2
>> - Key Exchange: ECDHE-RSA
>> - Server Signature: RSA-SHA256
>> - Client Signature: RSA-SHA256
>> - Cipher: AES-128-GCM
>> - MAC: AEAD
>> - Compression: NULL
>> - Options: extended master secret, safe renegotiation,
>> - Handshake was completed

>> - Simple Client Mode:

>> Any help is highly appreciated.

>> Winni

>>> From: "Eero Volotinen" <eero.volotinen at iki.fi>
>>> To: "Winfried Neessen" <neessen at cleverbridge.com>
>>> Cc: "openvas-discuss" <openvas-discuss at wald.intevation.org>
>>> Sent: Tuesday, July 14, 2015 3:56:03 PM
>>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

>>> Try restarting services again.sounds like (new) certificates are not loaded to
>>> services.
>>> 14.7.2015 4.10 ip. "Winfried Neessen" < neessen at cleverbridge.com > kirjoitti:

>>>> Hi,

>>>> my redis-server is running. Also I doubt that this has s. th. to do with redis,
>>>> as the error says something
>>>> about a non-properly terminated TLS connection.

>>>> So I did a strace on the openvassd and found some messages about an untrusted
>>>> certificate. I then recreated
>>>> the CA, server and client certificates via openvas-mkcert -f and
>>>> openvas-mkcert-client -i -n and restarted
>>>> the services.

>>>> Now when I try to resume the job, it always tells me: 503 Service temporarly
>>>> down in the notice box of
>>>> GSA.

>>>> Any other suggestions?

>>>> Thanks
>>>> Winni

>>>>> From: "Eero Volotinen" < eero.volotinen at iki.fi >
>>>>> To: "Winfried Neessen" < neessen at cleverbridge.com >
>>>>> Cc: "openvas-discuss" < openvas-discuss at wald.intevation.org >
>>>>> Sent: Tuesday, July 14, 2015 12:10:47 PM
>>>>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan

>>>>> Check your redis-server configuration.
>>>>> 14.7.2015 1.09 ip. "Winfried Neessen" < neessen at cleverbridge.com > kirjoitti:

>>>>>> Hi,

>>>>>> I am trying to launch a scan in my OpenVAS instance. Once I press the
>>>>>> "play"-button, it says
>>>>>> "Requested" but after a second it already says: "Stopped at 1%". The
>>>>>> openvasmd.log says:

>>>>>> md main:WARNING:2015-07-14 10h06.49 UTC:24191: openvas_scanner_read: failed to
>>>>>> read from server: The TLS connection was non-properly terminated.
>>>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Status of task Test network
>>>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Requested
>>>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Task
>>>>>> 2fa50913-5928-4122-91a6-0c5251ecce56 has been resumed by wneessen
>>>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: openvas_scanner_read: failed to
>>>>>> read from server: The specified session has been invalidated for some reason.
>>>>>> event task:MESSAGE:2015-07-14 10h06.51 UTC:24193: Status of task Test network
>>>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Stopped
>>>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: sql_close: attempt to close db
>>>>>> with open statement(s)

>>>>>> Any idea what to do?

>>>>>> Thanks
>>>>>> Winni

>>>>>> _______________________________________________
>>>>>> Openvas-discuss mailing list
>>>>>> Openvas-discuss at wald.intevation.org
>>>>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>>>> _______________________________________________
>>>> Openvas-discuss mailing list
>>>> Openvas-discuss at wald.intevation.org
>>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>> _______________________________________________
>> Openvas-discuss mailing list
>> Openvas-discuss at wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

> _______________________________________________
> Openvas-discuss mailing list
> Openvas-discuss at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20150716/7c1a032c/attachment.html>


More information about the Openvas-discuss mailing list