[prev in list] [next in list] [prev in thread] [next in thread]
List: openvas-discuss
Subject: Re: [Openvas-discuss] OPENVASMD 9390/TCP Weak Ciphers
From: Jason Garin <j_garin5 () yahoo ! com>
Date: 2014-05-27 19:54:27
Message-ID: 1401220467.58992.YahooMailNeo () web161303 ! mail ! bf1 ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Are the --gnutls-priorities and --dhparams arguments available for v6. I know they are available for v5.
On Monday, May 26, 2014 5:38 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.05.2014 13:58, schrieb Hani Benhabiles:
> On 2014-05-26 12:07, Reindl Harald wrote:
>
> Because there is no such thing as "default" DH parameters to be used for
> DHE by the server. Not with GnuTLS 2.x nor
> with GnuTLS 3.x...
>
> Don't trust me ?
> - Check openssl s_server's -dhparam
> - Check gnutls's --dhparams
> - Check nginx' ssl_dhparam configuration
> - Check openvpn's --dh
> etc,...
that must be why Apache can offer DHE for years without
specific configurations and even if it needs dh-params
it can be not that hard to generate them automatically
* dovecot can
* postfix can
* apache can
only GSA can't
[harry@rh:~]$ sslscan openvas | grep Accepted
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 256 bits CAMELLIA256-SHA
Accepted TLS11 168 bits DES-CBC3-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 128 bits CAMELLIA128-SHA
Accepted TLS11 128 bits RC4-SHA
Accepted TLS11 128 bits RC4-MD5
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
[Attachment #5 (text/html)]
<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, \
Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div>Are \
the --gnutls-priorities and --dhparams arguments available for v6. I know they are \
available for v5.</div><div></div><div><br></div> <div \
class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: \
block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, \
'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family: \
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; \
font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Monday, May 26, \
2014 5:38 AM, Reindl Harald <h.reindl@thelounge.net> wrote:<br> </font> </div> \
<br><br> <div class="y_msg_container"><br>Am 26.05.2014 13:58, schrieb Hani \
Benhabiles:<br>> On 2014-05-26 12:07, Reindl Harald wrote:<br>><br>> Because \
there is no such thing as "default" DH parameters to be used for <br>> DHE by the \
server. Not with GnuTLS 2.x nor<br>> with GnuTLS 3.x...<br>> <br>> Don't \
trust me ?<br>> - Check openssl s_server's -dhparam<br>> - Check gnutls's \
--dhparams<br>> - Check nginx' ssl_dhparam configuration<br>> - Check openvpn's \
--dh<br>> etc,...<br><br>that must be why Apache can offer DHE for years \
without<br>specific configurations and even if it needs dh-params<br>it can be not \
that hard to generate them automatically<br><br>* dovecot can<br>* postfix can<br>* \
apache can<br><br>only GSA can't<br><br>[<a ymailto="mailto:harry@rh" \
href="mailto:harry@rh">harry@rh</a>:~]$ sslscan openvas | grep Accepted<br> \
Accepted SSLv3 256 bits AES256-SHA<br> \
Accepted SSLv3 168 bits DES-CBC3-SHA<br> \
Accepted SSLv3 128 bits AES128-SHA<br> Accepted \
SSLv3 128 bits RC4-SHA<br> Accepted SSLv3 128 \
bits RC4-MD5<br> Accepted TLSv1 256 bits \
AES256-SHA<br> Accepted TLSv1 256 bits \
CAMELLIA256-SHA<br> Accepted TLSv1 168 bits \
DES-CBC3-SHA<br> Accepted TLSv1 128 bits \
AES128-SHA<br> Accepted TLSv1 128 bits \
CAMELLIA128-SHA<br> Accepted TLSv1 128 bits \
RC4-SHA<br> Accepted TLSv1 128 bits RC4-MD5<br> \
Accepted TLS11 256 bits AES256-SHA<br> \
Accepted TLS11 256 bits CAMELLIA256-SHA<br> \
Accepted TLS11 168 bits DES-CBC3-SHA<br> \
Accepted TLS11 128 bits AES128-SHA<br> Accepted \
TLS11 128 bits CAMELLIA128-SHA<br> Accepted \
TLS11 128 bits RC4-SHA<br> Accepted TLS11 128 \
bits RC4-MD5<br><br>_______________________________________________<br>Openvas-discuss \
mailing list<br><a ymailto="mailto:Openvas-discuss@wald.intevation.org" \
href="mailto:Openvas-discuss@wald.intevation.org">Openvas-discuss@wald.intevation.org</a><br><a \
href="https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss" \
target="_blank">https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss</a><br><br></div> \
</div> </div> </div> </div></body></html>
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic