[20.8.0] Service unavailable when verifying ospd-openvas scanner over tcp

[wisukind]

gvm@ov-master-eqi-test:~$ gvmd --version
Greenbone Vulnerability Manager 20.08.0~git-3a5ec8bc-gvmd-20.08
GIT revision 3a5ec8bc-gvmd-20.08
Manager DB revision 233

OSP Server for openvas: 20.8.0
OSP: 20.8.1
OSPd OpenVAS: 20.8.1

OS: Ubuntu 18.04 LTS with gnutls 3.6.15, python 3.7

Problem: When running an ospd-openvas scanner on a TCP socket, gvmd fails to connect to it even though the certificates handshake is correct. Both GVMD and OSPD are running on the same system. Obviously same problem happens if ospd is run on a different IP. See below

Scanner is launched with the following command:

/opt/gvm/bin/ospd-scanner/bin/python3.7 /opt/gvm/bin/ospd-scanner/bin/ospd-openvas -s /opt/gvm/etc/openvas/ospd.conf --log-file /opt/gvm/var/log/gvm/ospd-scanner-remote.log -p 9392 -b 127.0.0.1 --pid-file /opt/gvm/var/run/ospd-openvas-remote.pid --lock-file-dir /opt/gvm/var/run/ -k /opt/gvm/var/lib/gvm/private/CA/serverkey.pem -c /opt/gvm/var/lib/gvm/CA/servercert.pem --ca-file /opt/gvm/var/lib/gvm/CA/cacert.pem -L DEBUG -f

On Gvmd, scanner is added using:

gvmd --create-scanner=TestRemoteScanner --scanner-type=OpenVAS --scanner-port=9392 --scanner-host=127.0.0.1 --scanner-ca-pub=/opt/gvm/var/lib/gvm/CA/cacert.pem --scanner-key-priv=/opt/gvm/var/lib/gvm/private/CA/clientkey.pem --scanner-key-pub=/opt/gvm/var/lib/gvm/CA/clientcert.pem

Scanner is created successfully. Now If I try to verify the scanner:

gvm@ov-master-eqi-test:/opt/gvm/src/20.08/ospd-ospd-20.08/ospd$ gvmd --get-scanners
8840a9e5-f1c0-45f1-835b-550c32fc3001  OpenVAS  127.0.0.1  9392  TestRemoteScanner
gvm@ov-master-eqi-test:/opt/gvm/src/20.08/ospd-ospd-20.08/ospd$ gvmd --verify-scanner=8840a9e5-f1c0-45f1-835b-550c32fc3001
Failed to verify scanner.

If I manually check the certificate handshake using:

openssl s_client -connect 127.0.0.1:9392 -cert /opt/gvm/var/lib/gvm/CA/clientcert.pem -key /opt/gvm/var/lib/gvm/private/CA/clientkey.pem -CAfile /opt/gvm/var/lib/gvm/CA/cacert.pem -reconnect -showcerts -debug

connects and sending <get_version/> manually with openssl gets answered with

<get_version_response status="200" status_text="OK"><protocol><name>OSP</nam

So the cert infrastructure created with gvm-manage-certs is correct and the initial dialog seems to work fine.

However, on GVMD side, I have the following logs:

md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909: <= client  "<verify_scanner scanner_id="8840a9e5-f1c0-45f1-835b-550c32fc3001"/>"
md    gmp:  DEBUG:2020-09-28 12h54.37 UTC:98909:    XML  start: verify_scanner (1)
md    gmp:  DEBUG:2020-09-28 12h54.37 UTC:98909:    client state set: 519
md    gmp:  DEBUG:2020-09-28 12h54.37 UTC:98909:    XML    end: verify_scanner
lib  serv:  DEBUG:2020-09-28 12h54.37 UTC:98909:    Connected to server 127.0.0.1 port 9392.
lib  serv:  DEBUG:2020-09-28 12h54.37 UTC:98909:    Shook hands with server 127.0.0.1 port 9392.
lib  serv:  DEBUG:2020-09-28 12h54.37 UTC:98909:    send 14 from <get_version/>[...]
lib  serv:  DEBUG:2020-09-28 12h54.37 UTC:98909: => <get_version/>
lib  serv:  DEBUG:2020-09-28 12h54.37 UTC:98909: => done
lib   xml:  DEBUG:2020-09-28 12h54.37 UTC:98909:    asking for 1048576
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909: -> client: <verify_scanner_response status="503" status_text="Service unavailable"/>
md    gmp:  DEBUG:2020-09-28 12h54.37 UTC:98909:    client state set: 1
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909: => client  73 bytes
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909: => client  done
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909:    EOF reading from client
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909:    Cleaning up
md   main:  DEBUG:2020-09-28 12h54.37 UTC:98909:    Exiting

[jjnicola]

Hi @wisukind,
Did you create new credentials with an up to date gvm-manage-cert? The script was fixed with the PR greenbone/gvmd#1140, as newer gnutls libs are stricter. Openssl can be more permissive and therefore works for you with openssl s_client.

Also, in case you are using TLS1.3, the patch in PR greenbone/gvm-libs#394 can help in some cases. If you could try it and let me know if it works for you, I can consider to backport to 20.08 version.

[wisukind]

Hi Juan,

I used the script built from gvmd 20.08, with MD5:

1762c7083fa9b1ad4b91d43ff74c3fa5 /opt/gvm/bin/gvm-manage-certs
1762c7083fa9b1ad4b91d43ff74c3fa5 /opt/gvm/src/20.08/gvmd-gvmd-20.08/build/tools/gvm-manage-certs

Is it up to date enough, or is there a new version ?

Thanks

[jjnicola]

If you used the one in the last stable gvmd-20.08 release, it is up to date.

[wisukind]

OK, so I'm good on this point. I'm currently installing gvm-libs/gvmd/ospd/ospd-openvas from the latest master branch, to see if the problem is fixed.

[wisukind]

Latest ospd-openvas master fails to run. I have the following error:

gvm@gvm11-slave-1:/opt/gvm/var/run$ /opt/gvm/bin/ospd-scanner/bin/python3.7 /opt/gvm/bin/ospd-scanner/bin/ospd-openvas -s /opt/gvm/etc/openvas/ospd.conf --log-file /opt/gvm/var/log/gvm/ospd-scanner-remote.log -p 9390 -b 0.0.0.0 --pid-file /opt/gvm/var/run/ospd-openvas-remote.pid --lock-file-dir /opt/gvm/var/run/ -k /opt/gvm/var/lib/gvm/private/CA/serverkey.pem -c /opt/gvm/var/lib/gvm/CA/servercert.pem --ca-file /opt/gvm/var/lib/gvm/CA/cacert.pem -L DEBUG -f
OSPD[4699] 2020-10-01 15:51:42,889: INFO: (ospd.main) Starting OSPd OpenVAS version 21.4a1.
OSPD[4699] 2020-10-01 15:51:42,913: DEBUG: (ospd_openvas.lock) Created lock file /opt/gvm/var/run/feed-update.lock.
OSPD[4699] 2020-10-01 15:51:52,925: DEBUG: (ospd_openvas.openvas) Loading VTs into Redis DB...
OSPD[4699] 2020-10-01 15:52:19,008: DEBUG: (ospd_openvas.openvas) Finished loading VTs into Redis DB
OSPD[4699] 2020-10-01 15:52:19,179: DEBUG: (ospd_openvas.lock) Removed lock from file /opt/gvm/var/run/feed-update.lock.
Traceback (most recent call last):
  File "/opt/gvm/bin/ospd-scanner/bin/ospd-openvas", line 8, in <module>
    sys.exit(main())
  File "/opt/gvm/bin/ospd-scanner/lib/python3.7/site-packages/ospd_openvas/daemon.py", line 1326, in main
    daemon_main('OSPD - openvas', OSPDopenvas)
  File "/opt/gvm/bin/ospd-scanner/lib/python3.7/site-packages/ospd/main.py", line 161, in main
    daemon.init(server)
  File "/opt/gvm/bin/ospd-scanner/lib/python3.7/site-packages/ospd_openvas/daemon.py", line 483, in init
    self.set_vts_version(vts_version=current_feed)
  File "/opt/gvm/bin/ospd-scanner/lib/python3.7/site-packages/ospd/ospd.py", line 253, in set_vts_version
    'A vts_version parameter is required', 'set_vts_version'
ospd.errors.OspdCommandError: A vts_version parameter is required
OSPD[4699] 2020-10-01 15:52:19,181: DEBUG: (ospd.main) Performing exit clean up
OSPD[4699] 2020-10-01 15:52:19,181: INFO: (ospd.main) Shutting-down server ...
OSPD[4699] 2020-10-01 15:52:19,520: DEBUG: (ospd.main) Finishing daemon process

Any clue ?

[wisukind]

Hi Juan,

I confirm upgrading gvm-libs to the master version fixes the problem. I kept my current gvmd / ospd / ospd-openvas 20.08 version, and upgraded only gvm-libs, recompiled, regenerated certificates and now it works.

So the PR greenbone/gvm-libs#394 seems to be the fix.

Any chance you could backport it to 20.08 ? I would defnitely owe you a beer !

Thanks

[jjnicola]

Backported with PR greenbone/gvm-libs#404 to gvm-libs-20.08. This fix will be included in the next releases.
Regards.

[wisukind]

Thanks a lot !!!