[Samba] Samba 4 - disabling SSLv3 to mitigate POODLE effects
Andrew Bartlett
abartlet at samba.org
Sat Nov 15 00:50:46 MST 2014
On Tue, 2014-11-04 at 11:07 +0000, Chris Alavoine wrote:
> Hi all,
>
> Am trying to find a way to disable SSLv3 protocol in smb.conf on Samba4.
>
> I am using the following:
>
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> With a self-signed cert.
>
> But when I remote connect from another host using:
>
> openssl s_client -showcerts -connect samba4-dc:636 -ssl3
>
> I get a successful connection.
>
> Any ideas?
It would be up to whatever GNUTLS supports.
I agree we should fix it (and any clues as to how to - form the C code -
control the SSL stuff so we can expose it in a smb.conf option most
welcome), but my understanding is that this attack is much less feasible
on LDAP:
https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj/#comment-6703
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list