2025-03-01 04:58:35 +03:00 · 2016-03-16 13:03:08 +01:00 · 2016-03-16 13:03:08 +01:00 · 641cbccc95
commit 641cbccc95
parent d778580aa2
3 changed files with 3 additions and 7 deletions
--- a/docs-xml/smbdotconf/security/tlsverifypeer.xml
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@ -41,11 +41,7 @@
 	<smbconfoption name="tls crl file"/> needs to be configured.
 	Future versions of Samba may implement additional checks.
 	</para>
-
-	<para>Note that the default is likely to change from
-	<constant>no_check</constant> to <constant>as_strict_as_possible</constant>
-	with Samba 4.5.</para>
 </description>

-<value type="default">no_check</value>
+<value type="default">as_strict_as_possible</value>
 </samba:parameter>
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@ -2574,7 +2574,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");

 	lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
-	lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
+	lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible");
 	lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@ -868,7 +868,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);

 	Globals.tls_enabled = true;
-	Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
+	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;

 	lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
 	lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");