Hi list, when checking my test installation on Gentoo of openvas by openvas itself, a vulnerability in GSAD https webserver ist reported: it seems that gsad is able to fallback to SSLv3 protocol (POODLE attack). As GSAD is built on libmicrohttp what would be the proper way to prevent the fallback to SSLv3 and only use the, at the current time, secure TLS protocols? Is there a way to disable SSLv3 during compile time of libmicrohttp or it's dependency gnutls? At least I found no gentoo use flags for disabling SSLv3 in these packages? Or is it possible to use some configuration-fu to disable SSL inside gsad itself.
As a last resort I think I will have to proxy gsad through another web server like Apache or lighttpd which can be configured to disallow connection attempts using SSLv3 and below. Kind regards, Chris _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
