--- /dev/null
+<samba:parameter name="tls verify peer"
+ context="G"
+ type="enum"
+ enumlist="enum_tls_verify_peer_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls if and how strict the client will verify the peer's certificate and name.
+ Possible values are (in increasing order):
+ <constant>no_check</constant>,
+ <constant>ca_only</constant>,
+ <constant>ca_and_name_if_available</constant>,
+ <constant>ca_and_name</constant>
+ and
+ <constant>as_strict_as_possible</constant>.</para>
+
+ <para>When set to <constant>no_check</constant> the certificate is not verified at
+ all, which allows trivial man in the middle attacks.
+ </para>
+
+ <para>When set to <constant>ca_only</constant> the certificate is verified to
+ be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
+ Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+ The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
+ option is configured, the certificate is also verified against the ca crl.
+ </para>
+
+ <para>When set to <constant>ca_and_name_if_available</constant> all checks from
+ <constant>ca_only</constant> are performed. In addition, the peer hostname is verified
+ against the certificate's name, if it is provided by the application layer and
+ not given as an ip address string.
+ </para>
+
+ <para>When set to <constant>ca_and_name</constant> all checks from
+ <constant>ca_and_name_if_available</constant> are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+ </para>
+
+ <para>When set to <constant>as_strict_as_possible</constant> all checks from
+ <constant>ca_and_name</constant> are performed. In addition the
+ <smbconfoption name="tls crl file"/> needs to be configured.
+ Future versions of Samba may implement additional checks.
+ </para>
+
+ <para>Note that the default is likely to change from
+ <constant>no_check</constant> to <constant>as_strict_as_possible</constant>
+ with Samba 4.5.</para>
+</description>
+
+<value type="default">no_check</value>
+</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
+ lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
#include "lib/param/param_global.h"
#include "libcli/smb/smb_constants.h"
#include "libds/common/roles.h"
+#include "source4/lib/tls/tls.h"
#ifndef N_
#define N_(x) x
{-1, NULL}
};
+static const struct enum_list enum_tls_verify_peer_vals[] = {
+ {TLS_VERIFY_PEER_NO_CHECK,
+ TLS_VERIFY_PEER_NO_CHECK_STRING},
+ {TLS_VERIFY_PEER_CA_ONLY,
+ TLS_VERIFY_PEER_CA_ONLY_STRING},
+ {TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE,
+ TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING},
+ {TLS_VERIFY_PEER_CA_AND_NAME,
+ TLS_VERIFY_PEER_CA_AND_NAME_STRING},
+ {TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE,
+ TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING},
+ {-1, NULL}
+};
+
/* DNS update options. */
static const struct enum_list enum_dns_update_settings[] = {
{DNS_UPDATE_OFF, "disabled"},
#include "dbwrap/dbwrap_rbt.h"
#include "../lib/util/bitmap.h"
#include "librpc/gen_ndr/nbt.h"
+#include "source4/lib/tls/tls.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
+ Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");