git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cabf873)
tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
authorAndreas Schneider <asn@samba.org>
Tue, 30 Jun 2020 15:12:17 +0000 (17:12 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 1 Jul 2020 14:56:33 +0000 (14:56 +0000)
This seems to be really broken in GnuTLS and the documentation is also
not correct.

This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184

docs-xml/smbdotconf/security/tlspriority.xml patch | blob | history
lib/param/loadparm.c patch | blob | history
python/samba/tests/docs.py patch | blob | history
source3/param/loadparm.c patch | blob | history

diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
index 6d1f0dcb91275c487f380e6ed4ebd9dde23b4b20..471dc25ba3b42f634191fd5009f0cca716f82b61 100644 (file)
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -12,10 +12,8 @@
    <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
    Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
    </para>
-   <para>By default it will try to find a config file matching "SAMBA", but if
-   that does not exist will use the entry for "SYSTEM" and last fallback to
-   NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
+   <para>The SSL3.0 protocol will be disabled.</para>
  </description>
 
- <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 53eedeb0cb2cd4b1a2dbf24afbfeaad5aeae9615..da639a8b0ff8a812ad663c866a27140f0ea76ab6 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2818,15 +2818,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
-       lpcfg_do_global_parameter(lp_ctx,
-                                 "tls priority",
-                                 "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
-#else
        lpcfg_do_global_parameter(lp_ctx,
                                  "tls priority",
                                  "NORMAL:-VERS-SSL3.0");
-#endif
 
        lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
 
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 10339702a971c9d9b33912bc3c1b79bbc775aa33..135be830521fe34a8db17d0bd55ab58a4c999719 100644 (file)
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -29,22 +29,6 @@ import multiprocessing
 import concurrent.futures
 import tempfile
 
-config_h = os.path.join("bin/default/include/config.h")
-config_hash = dict()
-
-if os.path.exists(config_h):
-    config_hash = dict()
-    f = open(config_h, 'r')
-    try:
-        lines = f.readlines()
-        config_hash = dict((x[0], ' '.join(x[1:]))
-                           for x in map(lambda line: line.strip().split(' ')[1:],
-                                        list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
-    finally:
-        f.close()
-
-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
-
 class TestCase(samba.tests.TestCaseInTempDir):
 
     def _format_message(self, parameters, message):
@@ -234,11 +218,6 @@ class SmbDotConfTests(TestCase):
         'smbd max async dosmode',
     ])
 
-    # 'tls priority' has a legacy default value if we don't link against a
-    # modern GnuTLS version.
-    if not have_gnutls_system_config_support:
-        special_cases.add('tls priority')
-
     def setUp(self):
         super(SmbDotConfTests, self).setUp()
         # create a minimal smb.conf file for testparm
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0ceaa7d8edf0b9bdc866e6161d471320d596e120..cf5da0aca21c8170de3e059664abda02a14e446a 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -886,15 +886,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
        lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
        lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
        lpcfg_string_set(Globals.ctx,
                         &Globals.tls_priority,
-                        "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
-#else
-       lpcfg_string_set(Globals.ctx,
-                        &Globals.tls_priority,
-                        "NORMAL!-VERS-SSL3.0");
-#endif
+                        "NORMAL:-VERS-SSL3.0");
 
        lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
 
Samba Shared Repository