1 <samba:parameter name="tls verify peer"
4 enumlist="enum_tls_verify_peer_vals"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
7 <para>This controls if and how strict the client will verify the peer's certificate and name.
8 Possible values are (in increasing order):
9 <constant>no_check</constant>,
10 <constant>ca_only</constant>,
11 <constant>ca_and_name_if_available</constant>,
12 <constant>ca_and_name</constant>
14 <constant>as_strict_as_possible</constant>.</para>
16 <para>When set to <constant>no_check</constant> the certificate is not verified at
17 all, which allows trivial man in the middle attacks.
20 <para>When set to <constant>ca_only</constant> the certificate is verified to
21 be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
22 Setting <smbconfoption name="tls ca file"/> to a valid file is required.
23 The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
24 option is configured, the certificate is also verified against the ca crl.
27 <para>When set to <constant>ca_and_name_if_available</constant> all checks from
28 <constant>ca_only</constant> are performed. In addition, the peer hostname is verified
29 against the certificate's name, if it is provided by the application layer and
30 not given as an ip address string.
33 <para>When set to <constant>ca_and_name</constant> all checks from
34 <constant>ca_and_name_if_available</constant> are performed.
35 In addition the peer hostname needs to be provided and even an ip
36 address is checked against the certificate's name.
39 <para>When set to <constant>as_strict_as_possible</constant> all checks from
40 <constant>ca_and_name</constant> are performed. In addition the
41 <smbconfoption name="tls crl file"/> needs to be configured.
42 Future versions of Samba may implement additional checks.
46 <value type="default">as_strict_as_possible</value>