sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-01 04:58:35 +03:00
Code

CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-03-16 13:03:08 +01:00
parent d778580aa2
commit 641cbccc95
3 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs-xml/smbdotconf/security/tlsverifypeer.xml
View File

@ -41,11 +41,7 @@
<smbconfoption name="tls crl file"/> needs to be configured. <smbconfoption name="tls crl file"/> needs to be configured.
Future versions of Samba may implement additional checks. Future versions of Samba may implement additional checks.
</para> </para>
<para>Note that the default is likely to change from
<constant>no_check</constant> to <constant>as_strict_as_possible</constant>
with Samba 4.5.</para>
</description> </description>
<value type="default">no_check</value> <value type="default">as_strict_as_possible</value>
</samba:parameter> </samba:parameter>

2
lib/param/loadparm.c
View File

@ -2574,7 +2574,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600"); lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True"); lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check"); lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible");
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");

2
source3/param/loadparm.c
View File

@ -868,7 +868,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true; Globals.tls_enabled = true;
Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK; Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");