Scanning gvm with gvm

Hi!

Scanning gvm with gvm gives one 5.5 scored vulnerability: some https-ciphers are not taken as secure and you are adviced to disable them. Any configuraton value to setto make gvmd not use these ciphers any more?

ā€“
Thomas

During the setup of your installation you either created a certificate with the respective GVM helper script
or you created the certificates on your own.

There are many things and ways that influence the quality of the certificates.

If you share the scan result, the GVM version, your underlying operating system (with a hint at the gnutls version) and of course how you generated the certificate, this would help for a more detailed answer.

Doing the TLS certificates right and offering various options to manage this did cost us quite a lot of work for the administration interface of the Greenbone Security Manager appliance. And it needs attention on a continuous basis.

1 Like

Hi,

adding to the certificates mentioned previously the used cipher suites and allowed TLS version of the gsad component plays a role as well.

By default the gsad will use the global/system-wide configured cipher suites and TLS version of GnuTLS. To overwrite this default of GnuTLS have a look at the --gnutls-priorities command line option of gsad:

Examples on a more secure priority strings where posted at various places in the past like e.g.

--gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
http://lists.wald.intevation.org/pipermail/openvas-discuss/2017-June/011099.html