--- /dev/null
+<samba:parameter name="tls priority"
+ type="string"
+ context="G"
+ constant="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a string describing the TLS protocols
+ to be supported in the parts of Samba that use GnuTLS, specifically
+ the AD DC.
+ </para>
+ <para>The valid options are described in the
+ <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
+ Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
+ </para>
+ </description>
+
+ <value type="default">NORMAL</value>
+</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
+ lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL");
lpcfg_do_global_parameter(lp_ctx, "prefork children:smb", "4");
lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
.special = NULL,
.enum_list = NULL
},
+ {
+ .label = "tls priority",
+ .type = P_STRING,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(tls_priority),
+ .special = NULL,
+ .enum_list = NULL
+ },
{NULL, P_BOOL, P_NONE, 0, NULL, NULL, 0}
};
string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
+ string_set(Globals.ctx, &Globals.tls_priority, "NORMAL");
string_set(Globals.ctx, &Globals.share_backend, "classic");
lpcfg_tls_cafile(ldap_service, task->lp_ctx),
lpcfg_tls_crlfile(ldap_service, task->lp_ctx),
lpcfg_tls_dhpfile(ldap_service, task->lp_ctx),
+ lpcfg_tls_priority(task->lp_ctx),
&ldap_service->tls_params);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("ldapsrv failed tstream_tls_params_server - %s\n",
NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
const char *ca_file,
const char *crl_file,
+ const char *tls_priority,
struct tstream_tls_params **_tlsp);
NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
const char *ca_file,
const char *crl_file,
const char *dhp_file,
+ const char *tls_priority,
struct tstream_tls_params **_params);
bool tstream_tls_params_enabled(struct tstream_tls_params *params);
#if ENABLE_GNUTLS
gnutls_certificate_credentials x509_cred;
gnutls_dh_params dh_params;
+ const char *tls_priority;
#endif /* ENABLE_GNUTLS */
bool tls_enabled;
};
NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
const char *ca_file,
const char *crl_file,
+ const char *tls_priority,
struct tstream_tls_params **_tlsp)
{
#if ENABLE_GNUTLS
}
}
+ tlsp->tls_priority = talloc_strdup(tlsp, tls_priority);
+ if (tlsp->tls_priority == NULL) {
+ talloc_free(tlsp);
+ return NT_STATUS_NO_MEMORY;
+ }
+
tlsp->tls_enabled = true;
*_tlsp = tlsp;
{
struct tevent_req *req;
struct tstream_tls_connect_state *state;
+ const char *error_pos;
#if ENABLE_GNUTLS
struct tstream_tls *tlss;
int ret;
return tevent_req_post(req, ev);
}
- ret = gnutls_set_default_priority(tlss->tls_session);
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tls_params->tls_priority,
+ &error_pos);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
const char *ca_file,
const char *crl_file,
const char *dhp_file,
+ const char *tls_priority,
struct tstream_tls_params **_tlsp)
{
struct tstream_tls_params *tlsp;
gnutls_certificate_set_dh_params(tlsp->x509_cred, tlsp->dh_params);
+ tlsp->tls_priority = talloc_strdup(tlsp, tls_priority);
+ if (tlsp->tls_priority == NULL) {
+ talloc_free(tlsp);
+ return NT_STATUS_NO_MEMORY;
+ }
+
tlsp->tls_enabled = true;
#else /* ENABLE_GNUTLS */
struct tevent_req *req;
struct tstream_tls_accept_state *state;
struct tstream_tls *tlss;
+ const char *error_pos;
#if ENABLE_GNUTLS
int ret;
#endif /* ENABLE_GNUTLS */
return tevent_req_post(req, ev);
}
- ret = gnutls_set_default_priority(tlss->tls_session);
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tlsp->tls_priority,
+ &error_pos);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
if (conn->ldaps) {
char *ca_file = lpcfg_tls_cafile(state, conn->lp_ctx);
char *crl_file = lpcfg_tls_crlfile(state, conn->lp_ctx);
-
+ const char *tls_priority = lpcfg_tls_priority(conn->lp_ctx);
if (!ca_file || !*ca_file) {
composite_error(result,
NT_STATUS_INVALID_PARAMETER_MIX);
status = tstream_tls_params_client(state,
ca_file,
crl_file,
+ tls_priority,
&state->tls_params);
if (!NT_STATUS_IS_OK(status)) {
composite_error(result, status);
#include "librpc/rpc/dcerpc.h"
#include "librpc/rpc/dcerpc_roh.h"
#include "librpc/rpc/dcerpc_proto.h"
+#include "lib/param/param.h"
static ssize_t tstream_roh_pending_bytes(struct tstream_context *stream);
static struct tevent_req * tstream_roh_readv_send(
/* Initialize TLS */
if (use_tls) {
status = tstream_tls_params_client(state->roh, NULL, NULL,
+ lpcfg_tls_priority(lp_ctx),
&state->tls_params);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("%s: Failed tstream_tls_params_client - %s\n",