search

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
367 stars 102 forks source link

Disable TLS1.0 and TLS1.1 - Not really a bug, more like an enhancement. #253

Closed rkoosaar closed 1 month ago

rkoosaar commented 9 months ago

For Postfix. Disable VRFY and/or EXPN on your Mailserver.

edit /etc/postfix/main.cf and add 'disable_vrfy_command=yes' in 'main.cf'.

Disable TLS1.0 and TLS1.1

edit /etc/postfix/main.cf and add 'disable_vrfy_command=yes' in 'main.cf'.

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

For ospd-openvas (web interface?): https://forum.greenbone.net/t/disable-tls-1-0-1-1-on-ospd-openvas/10945 <- last post on this link. on the single docker images > /usr/lib/python3/dist-packages/ospd/server.py seems to be missing

immauss commented 9 months ago

Thanks! This is a good idea. I will incorporate it into the next build. I've not really thought about those too much as they are internal to docker, but always a good idea to keep them as secure as possible. Begs the question of why disabling TLS1.0 & 1.1 and making them as secure as possible ( for the ospd-openvas) are not the defaults from GB. :/

And to answer your parenthetical question, 9390 is the port for the API. I think it is a REST API, but it is not a web interface. :)

rkoosaar commented 9 months ago

Thanks if you scan the box that openvas is running with openvas and it reports 9390 port then you get the "SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection" - and I thought that last post described how to turn of the TLS1.0 and TLS1.1 for 9390.

immauss commented 9 months ago

You're absolutely right.

Thanks, Scott

immauss commented 1 month ago

I finally got a chance to look deeper into this. The Postfix changes were easy. But the ospd, not so. There have been lots of changes from GB since that post. I tried making the change suggested, but it only affects the active protocol used, not what is available. Either way .. that sort of change is more appropriate for GB. Except for the minor branding changes to GSA, my intent has always been to keep the code GB produces.

BTW ... It also seems that TLS 1.3 is available now, at least based on the code in server.py anyway.