Disable tls 1.0/1.1 on ospd-openvas

Hello everyone,
We have configured remote scanners in our environment. A scan of our environment indicates that ospd-openvas accepts tls 1.0/1.1 connections. How can I restrict this to tls 1.2 only ?
Thanks.

GVM versions

gsad: 21.4.3
gvmd: 21.4.4
openvas-scanner: 21.4.3
gvm-libs: 21.4.3

Environment

Operating system: Kali Linux
Kernel: 5.14.0-kali4-amd64
Installation method / source: apt install openvas

Modify /lib/systemd/system/greenbone-security-assistant.service.

Add "–gnutls-priorities=“SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3” (with quotes) to the end of the ExecStart line.

Save changes. Run sudo systemctl daemon-reload. Restart the gvm services or reboot.

See: Priority Strings (GnuTLS 3.7.2)

1 Like

Thanks but my issue is with ospd-openvas. gsad is already properly configured.
My ExecStart of ospd-openvas is this:
ExecStart=/usr/bin/ospd-openvas --config /etc/gvm/ospd-openvas.conf --log-config /etc/gvm/ospd-logging.conf -p 9390 --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas -k /var/lib/gvm/private/CA/clientkey.pem --ca-file /var/lib/gvm/CA/cacert.pem -c /var/lib/gvm/CA/clientcert.pem

For ospd-openvas, the file is server.py. On a 2021-4 install the file is located at /usr/lib/python3/dist-packages/ospd/server.py.

Modify the following line.
image

I also tried TLSv1_3, but an error reports it is not supported.

2 Likes

Exactly what I was looking for ! Thanks :slight_smile:

1 Like