lib/tls: Change default supported TLS versions.

The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566.  Newer GnuTLS versions already disable SSLv3.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
index 345f0302764cde6a636e0badd74c2f44fdc236e6..d399eef8eef8480616257a0f3d28b95a90bae868 100644 (file)
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -8,11 +8,15 @@
    to be supported in the parts of Samba that use GnuTLS, specifically
    the AD DC.
    </para>
+   <para>The default turns off SSLv3, as this protocol is no longer considered
+   secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+   in HTTPS applications.
+   </para>
    <para>The valid options are described in the
    <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
    Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
    </para>
  </description>
 
- <value type="default">NORMAL</value>
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1a0d45908d63c422898c06d8da24966470190b63..06a9e59f35c47385b2bd09d552ec90de4ddbb287 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2541,7 +2541,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
-       lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL");
+       lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
        lpcfg_do_global_parameter(lp_ctx, "prefork children:smb", "4");
 
        lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index fb66eaa39a92fbb9480815587cfd2d1727f8be16..beba137aacf211081816c68aec1367b4081fb242 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -872,7 +872,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
        string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
        string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
-       string_set(Globals.ctx, &Globals.tls_priority, "NORMAL");
+       string_set(Globals.ctx, &Globals.tls_priority, "NORMAL:-VERS-SSL3.0");
 
        string_set(Globals.ctx, &Globals.share_backend, "classic");
 

diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh
index 60bad44ebb97010a872afe329ae669236d41321d..394a7e88bf55359665bd94bfe80459c9863726ee 100755 (executable)
--- a/testprogs/blackbox/test_ldb.sh
+++ b/testprogs/blackbox/test_ldb.sh
@@ -39,6 +39,9 @@ ldbsearch="$VALGRIND ldbsearch"
 check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
 check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' || failed=`expr $failed + 1`
 check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1`
+if [ x$p = x"ldaps" ]; then
+   testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' && failed=`expr $failed + 1`
+fi
 
 echo "Getting defaultNamingContext"
 BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`