On Mittwoch, 9. April 2014, Greg Etling wrote: > Along these lines - Openvas appears to use libssl3.so instead of the > compromised libssl.so.10 versions, can anyone confirm whether any SSL keys > or certs would need to be recreated for Openvas itself, if installed on a > system with an insecure version of openssl?
OpenVAS Scanner, OpenVAS Manager and OpenVAS Administrator use GNU/TLS for the service protocols OTP, OMP, OAP. For libraries like microhttpd it depends on your environment to which ssl lib you linked it. OpenSSL is often the default. For Greenbone OS we build libmhd with GNU/TLS, not with OpenSSL. So the GSA (https) is not affected (btw, Greenbone OS as a whole is not affected by this security problem). So it depends a bit on your setup. Some people use stunnel for port 443 to the local http port of GSA which might isolate the problem, but again depending on the setup. -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
