to be supported in the parts of Samba that use GnuTLS, specifically
the AD DC.
</para>
- <para>The default turns off SSLv3, as this protocol is no longer considered
- secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
- in HTTPS applications.
- </para>
+ <para>The string is appended to the default priority list of GnuTLS.</para>
<para>The valid options are described in the
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
</para>
+ <para>By default it will try to find a config file matching "SAMBA", but if
+ that does not exist will use the entry for "SYSTEM" and last fallback to
+ NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
</description>
- <value type="default">NORMAL:-VERS-SSL3.0</value>
+ <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
- lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
+#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ lpcfg_do_global_parameter(lp_ctx,
+ "tls priority",
+ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+#else
+ lpcfg_do_global_parameter(lp_ctx,
+ "tls priority",
+ "NORMAL:-VERS-SSL3.0");
+#endif
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
import subprocess
import xml.etree.ElementTree as ET
+config_h = os.path.join("bin/default/include/config.h")
+config_hash = dict()
+
+if os.path.exists(config_h):
+ config_hash = dict()
+ f = open(config_h, 'r')
+ try:
+ lines = f.readlines()
+ config_hash = dict((x[0], ' '.join(x[1:]))
+ for x in map(lambda line: line.strip().split(' ')[1:],
+ list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
+ finally:
+ f.close()
+
+have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
class TestCase(samba.tests.TestCaseInTempDir):
'smbd max async dosmode',
])
+ # 'tls priority' has a legacy default value if we don't link against a
+ # modern GnuTLS version.
+ if not have_gnutls_system_config_support:
+ special_cases.add('tls priority')
+
def setUp(self):
super(SmbDotConfTests, self).setUp()
# create a minimal smb.conf file for testparm
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
- lpcfg_string_set(Globals.ctx, &Globals.tls_priority,
- "NORMAL:-VERS-SSL3.0");
+#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
+ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+#else
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
+ "NORMAL!-VERS-SSL3.0");
+#endif
lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
return tevent_req_post(req, ev);
}
- ret = gnutls_priority_set_direct(tlss->tls_session,
- tls_params->tls_priority,
- &error_pos);
+ ret = gnutls_set_default_priority(tlss->tls_session);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
- __location__, gnutls_strerror(ret), error_pos));
+ DBG_ERR("TLS %s - %s. Failed to set default priorities\n",
+ __location__, gnutls_strerror(ret));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
+ if (strlen(tls_params->tls_priority) > 0) {
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tls_params->tls_priority,
+ &error_pos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
+ tevent_req_error(req, EINVAL);
+ return tevent_req_post(req, ev);
+ }
+ }
+
ret = gnutls_credentials_set(tlss->tls_session,
GNUTLS_CRD_CERTIFICATE,
tls_params->x509_cred);
return tevent_req_post(req, ev);
}
- ret = gnutls_priority_set_direct(tlss->tls_session,
- tlsp->tls_priority,
- &error_pos);
+ ret = gnutls_set_default_priority(tlss->tls_session);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
- __location__, gnutls_strerror(ret), error_pos));
+ DBG_ERR("TLS %s - %s. Failed to set default priorities\n",
+ __location__, gnutls_strerror(ret));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
+ if (strlen(tlsp->tls_priority) > 0) {
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tlsp->tls_priority,
+ &error_pos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
+ tevent_req_error(req, EINVAL);
+ return tevent_req_post(req, ev);
+ }
+ }
+
ret = gnutls_credentials_set(tlss->tls_session, GNUTLS_CRD_CERTIFICATE,
tlsp->x509_cred);
if (ret != GNUTLS_E_SUCCESS) {
# Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat
conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
+# Check for gnutls_set_default_priority_append (>= 3.6.3)
+conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
+
# Check for gnutls_aead_cipher_encryptv2
#
# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed