|
|
On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> Package: nessusd
> Version: 2.2.5-3
> Severity: important
>
> When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
> client, the client says after hitting the "Login" button "SSL Error"
> and says on stdout "[8157] SSL_connect: error:140943FC:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad record mac". Downgrading the
> server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
> makes it happen again.
>
> A recompiled 2.2.5-3 on current sid exhibit the same behavior.
>
> I suspect some library issue.
Yes, that looks like an SSL error due to incompatibilies with the libraries.
> What i find strange: ldd of the working (2.2.5-2) daemon shows that
> it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
Strange, my working 2.2.5-2 daemon says:
~$ ldd /usr/sbin/nessusd |grep ssl
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x40115000)
> non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
No, it's the other way around:
$ ldd
debian/security/nessus/packages/nessus-core-2.2.5/debian/nessusd/usr/sbin/nessusd
|grep ssl
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)
And the client (2.2.5-2) says
$ ldd /usr/bin/nessus |grep ssl
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x400e1000)
I guess recompiling the nessusd package should fix this issue. Will look into
it.
> This is kind of important as there does not seem to be a possibility
> to legally use nessus built from Debian with a registered plugin feed
> at the moment.
Er, this is completely unrelated (and not true). See
/usr/share/doc/nessus-plugins/README.rebuild.Debian
Regards
Javier
|
|