search

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
337 stars 97 forks source link

Disable TLS1.0 and TLS1.1 - Not really a bug, more like an enhancement. #253

Open rkoosaar opened 4 months ago

rkoosaar commented 4 months ago

For Postfix. Disable VRFY and/or EXPN on your Mailserver.

edit /etc/postfix/main.cf and add 'disable_vrfy_command=yes' in 'main.cf'.

Disable TLS1.0 and TLS1.1

edit /etc/postfix/main.cf and add 'disable_vrfy_command=yes' in 'main.cf'.

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

For ospd-openvas (web interface?): https://forum.greenbone.net/t/disable-tls-1-0-1-1-on-ospd-openvas/10945 <- last post on this link. on the single docker images > /usr/lib/python3/dist-packages/ospd/server.py seems to be missing

immauss commented 4 months ago

Thanks! This is a good idea. I will incorporate it into the next build. I've not really thought about those too much as they are internal to docker, but always a good idea to keep them as secure as possible. Begs the question of why disabling TLS1.0 & 1.1 and making them as secure as possible ( for the ospd-openvas) are not the defaults from GB. :/

And to answer your parenthetical question, 9390 is the port for the API. I think it is a REST API, but it is not a web interface. :)

rkoosaar commented 4 months ago

Thanks if you scan the box that openvas is running with openvas and it reports 9390 port then you get the "SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection" - and I thought that last post described how to turn of the TLS1.0 and TLS1.1 for 9390.

immauss commented 4 months ago

You're absolutely right.

Thanks, Scott