lib/tls: Change default supported TLS versions.

The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566.  Newer GnuTLS versions already disable SSLv3.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 5 insertions, 1 deletions

diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
index 345f0302764..d399eef8eef 100644
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -8,11 +8,15 @@
    to be supported in the parts of Samba that use GnuTLS, specifically
    the AD DC.
    </para>
+   <para>The default turns off SSLv3, as this protocol is no longer considered
+   secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+   in HTTPS applications.
+   </para>
    <para>The valid options are described in the
    <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
    Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
    </para>
  </description>
 
- <value type="default">NORMAL</value>
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
 </samba:parameter>