Mailing List Archive

For those who are brave enough, or are collecting bugs, "Nessus on
SSL" can be tested now.
I suspect that some very nasty bugs are still in this code...

CVS-checkout the four Nessus modules with the NESSUS_1_2_SSL tag.

Configure Nessus with OpenSSL (should be autodetected) and install it
somewhere. You'd better not scratch your stable Nessus!
If you use nessus-adduser, always chose "plain text" authentication.
You'll have to install a server certificate. Have a look at
nessus-core/README_SSL
Note that if you want to use client side certificates, you'll have to
edit your .nessusrc by hand now.

Work in progress / to be done:
- the "debug level" is very high by default. nessusd will output
kazillions of silly messages.
Some of them are important, though. Compile it with -DDEBUG_SSL=1
This should be set with configure...
- the client does not check the validity of the server certificate
- no authentication with the client certificate
- disable-cipher flag is not handled. i.e. you cannot disable the
SSL layer in this CVS branch yet.

--
mailto:arboi@bigfoot.com http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
FAQNOPI de fr.comp.securite : http://www.bigfoot.com/~arboi/secu/FAQNOPI/