mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
This seems to be really broken in GnuTLS and the documentation is also
not correct.
This partially reverts 53e3a959b9
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 1 14:56:33 UTC 2020 on sn-devel-184
This commit is contained in:
parent
cabf873b75
commit
d308650145
@ -12,10 +12,8 @@
|
|||||||
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
|
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
|
||||||
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
|
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
|
||||||
</para>
|
</para>
|
||||||
<para>By default it will try to find a config file matching "SAMBA", but if
|
<para>The SSL3.0 protocol will be disabled.</para>
|
||||||
that does not exist will use the entry for "SYSTEM" and last fallback to
|
|
||||||
NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
|
|
||||||
</description>
|
</description>
|
||||||
|
|
||||||
<value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
|
<value type="default">NORMAL:-VERS-SSL3.0</value>
|
||||||
</samba:parameter>
|
</samba:parameter>
|
||||||
|
@ -2818,15 +2818,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|||||||
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
|
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
|
||||||
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
|
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
|
||||||
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
|
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
|
||||||
#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
|
|
||||||
lpcfg_do_global_parameter(lp_ctx,
|
|
||||||
"tls priority",
|
|
||||||
"@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
|
|
||||||
#else
|
|
||||||
lpcfg_do_global_parameter(lp_ctx,
|
lpcfg_do_global_parameter(lp_ctx,
|
||||||
"tls priority",
|
"tls priority",
|
||||||
"NORMAL:-VERS-SSL3.0");
|
"NORMAL:-VERS-SSL3.0");
|
||||||
#endif
|
|
||||||
|
|
||||||
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
|
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
|
||||||
|
|
||||||
|
@ -29,22 +29,6 @@ import multiprocessing
|
|||||||
import concurrent.futures
|
import concurrent.futures
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
config_h = os.path.join("bin/default/include/config.h")
|
|
||||||
config_hash = dict()
|
|
||||||
|
|
||||||
if os.path.exists(config_h):
|
|
||||||
config_hash = dict()
|
|
||||||
f = open(config_h, 'r')
|
|
||||||
try:
|
|
||||||
lines = f.readlines()
|
|
||||||
config_hash = dict((x[0], ' '.join(x[1:]))
|
|
||||||
for x in map(lambda line: line.strip().split(' ')[1:],
|
|
||||||
list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
|
|
||||||
finally:
|
|
||||||
f.close()
|
|
||||||
|
|
||||||
have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
|
|
||||||
|
|
||||||
class TestCase(samba.tests.TestCaseInTempDir):
|
class TestCase(samba.tests.TestCaseInTempDir):
|
||||||
|
|
||||||
def _format_message(self, parameters, message):
|
def _format_message(self, parameters, message):
|
||||||
@ -234,11 +218,6 @@ class SmbDotConfTests(TestCase):
|
|||||||
'smbd max async dosmode',
|
'smbd max async dosmode',
|
||||||
])
|
])
|
||||||
|
|
||||||
# 'tls priority' has a legacy default value if we don't link against a
|
|
||||||
# modern GnuTLS version.
|
|
||||||
if not have_gnutls_system_config_support:
|
|
||||||
special_cases.add('tls priority')
|
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(SmbDotConfTests, self).setUp()
|
super(SmbDotConfTests, self).setUp()
|
||||||
# create a minimal smb.conf file for testparm
|
# create a minimal smb.conf file for testparm
|
||||||
|
@ -886,15 +886,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|||||||
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
|
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
|
||||||
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
|
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
|
||||||
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
|
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
|
||||||
#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
|
|
||||||
lpcfg_string_set(Globals.ctx,
|
lpcfg_string_set(Globals.ctx,
|
||||||
&Globals.tls_priority,
|
&Globals.tls_priority,
|
||||||
"@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
|
"NORMAL:-VERS-SSL3.0");
|
||||||
#else
|
|
||||||
lpcfg_string_set(Globals.ctx,
|
|
||||||
&Globals.tls_priority,
|
|
||||||
"NORMAL!-VERS-SSL3.0");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
|
lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user