diff options
author | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 11:46:36 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 03:08:26 +0200 |
commit | 06f378fa652e0ff3cb5aae1b30eee4f73b570664 (patch) | |
tree | 014045265bed1dc83d3ca6deee522a78f4ccec1f | |
parent | 374d73617d71abf594cc92d335cd8bc60c10a1b7 (diff) | |
download | samba-06f378fa652e0ff3cb5aae1b30eee4f73b570664.tar.gz |
lib/tls: Change default supported TLS versions.
The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566. Newer GnuTLS versions already disable SSLv3.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-rw-r--r-- | docs-xml/smbdotconf/security/tlspriority.xml | 6 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 | ||||
-rwxr-xr-x | testprogs/blackbox/test_ldb.sh | 3 |
4 files changed, 10 insertions, 3 deletions
diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml index 345f0302764..d399eef8eef 100644 --- a/docs-xml/smbdotconf/security/tlspriority.xml +++ b/docs-xml/smbdotconf/security/tlspriority.xml @@ -8,11 +8,15 @@ to be supported in the parts of Samba that use GnuTLS, specifically the AD DC. </para> + <para>The default turns off SSLv3, as this protocol is no longer considered + secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use + in HTTPS applications. + </para> <para>The valid options are described in the <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink> </para> </description> - <value type="default">NORMAL</value> + <value type="default">NORMAL:-VERS-SSL3.0</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 1a0d45908d6..06a9e59f35c 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2541,7 +2541,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); - lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL"); + lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0"); lpcfg_do_global_parameter(lp_ctx, "prefork children:smb", "4"); lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index fb66eaa39a9..beba137aacf 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -872,7 +872,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); - string_set(Globals.ctx, &Globals.tls_priority, "NORMAL"); + string_set(Globals.ctx, &Globals.tls_priority, "NORMAL:-VERS-SSL3.0"); string_set(Globals.ctx, &Globals.share_backend, "classic"); diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh index 60bad44ebb9..394a7e88bf5 100755 --- a/testprogs/blackbox/test_ldb.sh +++ b/testprogs/blackbox/test_ldb.sh @@ -39,6 +39,9 @@ ldbsearch="$VALGRIND ldbsearch" check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1` check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' || failed=`expr $failed + 1` check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1` +if [ x$p = x"ldaps" ]; then + testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' && failed=`expr $failed + 1` +fi echo "Getting defaultNamingContext" BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'` |