CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"

author Stefan Metzmacher <metze@samba.org>

Wed, 16 Mar 2016 12:03:08 +0000 (13:03 +0100)

committer Stefan Metzmacher <metze@samba.org>

Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
author Stefan Metzmacher <metze@samba.org>
Wed, 16 Mar 2016 12:03:08 +0000 (13:03 +0100)
committer Stefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml

index ce6897d3d93de8176412233da583adef98de3af5..4f47dd4db0d32dd971b5f0a7e8eb19ca05c0c4eb 100644 (file)
--- a/docs-xml/smbdotconf/security/tlsverifypeer.xml
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -41,11 +41,7 @@
         <smbconfoption name="tls crl file"/> needs to be configured.
         Future versions of Samba may implement additional checks.
         </para>
-
-       <para>Note that the default is likely to change from
-       <constant>no_check</constant> to <constant>as_strict_as_possible</constant>
-       with Samba 4.5.</para>
  </description>
  
-<value type="default">no_check</value>
+<value type="default">as_strict_as_possible</value>
  </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index 43defc171ff3c5e4cbec810659b471b75c7e1917..5c9f6a1114d286f038edff5b7c5e03b24956a5cf 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2674,7 +2674,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
  
         lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
-       lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
+       lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible");
         lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
         lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
         lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index a2b1000f9d3f3a9ff9fe537e049f18f206f8a0c8..17cbaff577aea3448231c2310dac74484b8e28e9 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -869,7 +869,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
         Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
  
         Globals.tls_enabled = true;
-       Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
+       Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
  
         lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
         lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
author	Stefan Metzmacher <metze@samba.org>
	Wed, 16 Mar 2016 12:03:08 +0000 (13:03 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
docs-xml/smbdotconf/security/tlsverifypeer.xml		patch \| blob \| history
lib/param/loadparm.c		patch \| blob \| history
source3/param/loadparm.c		patch \| blob \| history