Re: [Openvas-discuss] Setup issue, maybe communication between openvassd and openvasmd

Fri, 29 Jan 2016 15:20:13 -0800 

Hi René:

Am 29.01.16 19:55 schrieb(en) Rene Behring:

do you also renew the certificates?

I thinks it was
openvas-mkcert
and
openvas-mkcert-client -n -i


No....  I now

- killed the running openvassd
- erased /opt/openvas/var/lib/openvas/CA/* and 
/opt/openvas/var/lib/openvas/private/CA/*
- ran openvas-mkcert with default values
- ran openvas-mkcert-client -n -i
- re-started openvassd; netstat says it listens at 0.0.0.0:9391
- running openvas-check-setup says
  ERROR: The number of NVTs in the OpenVAS Manager database is too low.
  FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection 
and run 'openvasmd --rebuild'.
- running 'openvasmd -v --rebuild' produces the same error messages as before:
  md   main:   INFO:2016-01-29 20h30.21 utc:7042:    OpenVAS Manager version 
6.0.7 (DB revision 146)
  md   main:   INFO:2016-01-29 20h30.21 utc:7042: rebuild_nvt_cache_retry: 
Reloading NVT cache
  md   main:   INFO:2016-01-29 20h30.21 utc:7043: update_or_rebuild_nvt_cache: 
Rebuilding NVT cache
  md   main:MESSAGE:2016-01-29 20h30.21 utc:7043: No SCAP database found
  md   main:MESSAGE:2016-01-29 20h30.21 utc:7043: No CERT database found
  md   main:   INFO:2016-01-29 20h30.21 utc:7043:    Updating NVT cache.
  lib  serv:WARNING:2016-01-29 20h30.21 utc:7043: Failed to shake hands with 
peer: Error in the push function.
  lib  serv:WARNING:2016-01-29 20h30.21 utc:7043: Failed to shutdown server 
socket

BTW, I created the original certs only yesterday, also with the default 
lifetimes (1 and 3 years, respectively), and the box is running ntpd, so I 
*really* believe they were not expired.  And the new ones are *not*...

I now tried to connect openvassd by just running

<snip>
openssl s_client -connect localhost:9391 -cert 
/opt/openvas/var/lib/openvas/CA/clientcert.pem \
        -CAfile /opt/openvas/var/lib/openvas/CA/cacert.pem \
        -key /opt/openvas/var/lib/openvas/private/CA/clientkey.pem
</snip>

which *did* work just fine, i.e. the connection was established.  Typing in 
some crap in openssl, openvassd apparently shuts down the connection.  Thus, 
that part looks good afaict.

I then killed openvassd again, and ran openssl as server for openvasmd:

<snip>
openssl s_server -accept 9391 -cert 
/opt/openvas/var/lib/openvas/CA/servercert.pem \
        -CAfile /opt/openvas/var/lib/openvas/CA/cacert.pem \
        -key /opt/openvas/var/lib/openvas/private/CA/serverkey.pem -dhparam 
dh1024.pem -state -msg -debug
</snip>

(I added a 1024 bit dh file, as otherwise openvasmd complains about the too 
short dh parameter.)  Now the openvasmd log says

<snip>
lib  serv:WARNING:2016-01-29 21h02.17 utc:7415: openvas_server_verify: the 
certificate is not trusted
lib  serv:WARNING:2016-01-29 21h02.17 utc:7415: openvas_server_verify: the 
certificate hasn't got a known issuer
</snip>

which IMO is strange as I used the same certs openvassd presented to openssl.

Any idea what I could test more, or what could resolve the issue?

Thanks,
Albrecht.
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to