Connections timing out during execution of gb_tls_version_get.nasl



This script was not picking up any TLS support. I first increased the script timeout to 3600 since it was timing out. After that, it was still missing some known supported TLS versions for the host in question, so I added some logging with timestamps to see what was happening.

The log output is appended to the end of this post.

It turns out that when testing the first version, there are long pauses between execution of the lines, e.g. approximately 4 minutes passed between when the socket is opened and when the system attempts to send the client hello, long after the target server has terminated the idle connection. So the script then fails to detect support for the version being tested because the connection is closed before the hello is sent.

N.B.: I also changed the version testing order.

openvas9 running on ubuntu 14.04
task config: max 4 concurrent NVTs
target: a single port on a single host

Changing max concurrent NVTs from 4 to 1 resolves this issue, at least for the simple case of a scan of a single host.

Is there a way to prioritize part of a script or a whole script to prevent delays between lines in a concurrent NVT scenario?

Logged output – note that I manually added the [… elapsed …] afterwards

Trying version TLSv1.2 at 1555106313 [… 75 seconds …]
sock opened TLSv1.2 at 1555106388 [… 109 seconds …]
hello_built TLSv1.2 at 1555106447 [… 148 seconds …]
hello_sent TLSv1.2 at 1555106595 [… 65 seconds …]
resp_recv TLSv1.2 at 1555106660 [… 226 seconds …]
search_built TLSv1.2 at 1555106886 [… 560 seconds …]
search_done TLSv1.2 at 1555107446 [… 468 seconds …]
soc_closed TLSv1.2 at 1555107914 [… 215 seconds …]
null_record TLSv1.2 at 1555108129 [… 44 seconds …]
Trying version TLSv1.1 at 1555108173 [… 2 seconds …]
sock opened TLSv1.1 at 1555108175
hello_built TLSv1.1 at 1555108175
hello_sent TLSv1.1 at 1555108175
resp_recv TLSv1.1 at 1555108175
search_built TLSv1.1 at 1555108175
search_done TLSv1.1 at 1555108175
soc_closed TLSv1.1 at 1555108175
supported - record[‘version’] matches TLSv1.1 at 1555108175
Trying version TLSv1.0 at 1555108175
sock opened TLSv1.0 at 1555108175
hello_built TLSv1.0 at 1555108175
hello_sent TLSv1.0 at 1555108175
resp_recv TLSv1.0 at 1555108175
search_built TLSv1.0 at 1555108175
search_done TLSv1.0 at 1555108175
soc_closed TLSv1.0 at 1555108175
supported - record[‘version’] matches TLSv1.0 at 1555108175
Trying version SSLv3 at 1555108175
sock opened SSLv3 at 1555108175
hello_built SSLv3 at 1555108175
hello_sent SSLv3 at 1555108175
resp_recv SSLv3 at 1555108175
search_built SSLv3 at 1555108175
search_done SSLv3 at 1555108175
soc_closed SSLv3 at 1555108175
null_record SSLv3 at 1555108175
Trying version SSLv2 at 1555108175
sock opened SSLv2 at 1555108175
hello_built SSLv2 at 1555108175
hello_sent SSLv2 at 1555108175
resp_recv SSLv2 at 1555108175
search_built SSLv2 at 1555108175
search_done SSLv2 at 1555108175
ssl_v2_check_cipher_spec_len SSLv2 at 1555108175


This looks like an issue within the scanner, more specifically Community feed unusable + Are there any difference in using 1 Maximum concurrently executed NVTs per host in OpenVAS9 than the default of 4? i’m moving this thread into the “GSE” category.

Please make sure that you’re using the latest version of the GVM components listed in either GVM-10 (stable, initial release 2019-04-05) or GVM-9 (old stable, initial release 2017-03-07)