to be supported in the parts of Samba that use GnuTLS, specifically
the AD DC.
</para>
+ <para>The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+ </para>
<para>The valid options are described in the
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
</para>
</description>
- <value type="default">NORMAL</value>
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
- lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL");
+ lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
lpcfg_do_global_parameter(lp_ctx, "prefork children:smb", "4");
lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
- string_set(Globals.ctx, &Globals.tls_priority, "NORMAL");
+ string_set(Globals.ctx, &Globals.tls_priority, "NORMAL:-VERS-SSL3.0");
string_set(Globals.ctx, &Globals.share_backend, "classic");
check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' || failed=`expr $failed + 1`
check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1`
+if [ x$p = x"ldaps" ]; then
+ testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' && failed=`expr $failed + 1`
+fi
echo "Getting defaultNamingContext"
BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`