diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-12-23 22:12:56 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:25 +0200 |
commit | 2362c0353b5c8601eda61875f0fea84c8f76e06d (patch) | |
tree | b981c227a5d4132482f47317f3da54cfc9f437fd /docs-xml | |
parent | 64a9cd2a38d8a9503560524f5a6feea25651f11c (diff) | |
download | samba-2362c0353b5c8601eda61875f0fea84c8f76e06d.tar.gz |
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/security/tlsverifypeer.xml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml new file mode 100644 index 00000000000..ce6897d3d93 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml @@ -0,0 +1,51 @@ +<samba:parameter name="tls verify peer" + context="G" + type="enum" + enumlist="enum_tls_verify_peer_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This controls if and how strict the client will verify the peer's certificate and name. + Possible values are (in increasing order): + <constant>no_check</constant>, + <constant>ca_only</constant>, + <constant>ca_and_name_if_available</constant>, + <constant>ca_and_name</constant> + and + <constant>as_strict_as_possible</constant>.</para> + + <para>When set to <constant>no_check</constant> the certificate is not verified at + all, which allows trivial man in the middle attacks. + </para> + + <para>When set to <constant>ca_only</constant> the certificate is verified to + be signed from a ca specified in the <smbconfoption name="tls ca file"/> option. + Setting <smbconfoption name="tls ca file"/> to a valid file is required. + The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/> + option is configured, the certificate is also verified against the ca crl. + </para> + + <para>When set to <constant>ca_and_name_if_available</constant> all checks from + <constant>ca_only</constant> are performed. In addition, the peer hostname is verified + against the certificate's name, if it is provided by the application layer and + not given as an ip address string. + </para> + + <para>When set to <constant>ca_and_name</constant> all checks from + <constant>ca_and_name_if_available</constant> are performed. + In addition the peer hostname needs to be provided and even an ip + address is checked against the certificate's name. + </para> + + <para>When set to <constant>as_strict_as_possible</constant> all checks from + <constant>ca_and_name</constant> are performed. In addition the + <smbconfoption name="tls crl file"/> needs to be configured. + Future versions of Samba may implement additional checks. + </para> + + <para>Note that the default is likely to change from + <constant>no_check</constant> to <constant>as_strict_as_possible</constant> + with Samba 4.5.</para> +</description> + +<value type="default">no_check</value> +</samba:parameter> |