Impending Removal of --with-ssl

Steve Langasek vorlon at netexpress.net
Fri May 3 08:55:02 GMT 2002 

On Fri, May 03, 2002 at 07:56:43AM -0700, abartlet at samba.org wrote:
> This message is a warning: 

> --with-ssl will die.

> Ok, thats enough with the dramatics, but the general consensus amoungst the 
> samba team is that --with-ssl really isn't a particulary smart idea, and 
> it is better implmented by external tools.

> So what is --with-ssl exactly?  And why kill it?

> --with-ssl allows Samba to tunnel SMB inside an SSL connection.  Unfortunetly
> there are only 2 clients:  smbclient and sharity.  Windows clients simply
> don't know how to use SSL.

> So why kill it?  It might be useful to sombody?

> While some small minority of users might find it handy, it confuses many more,
> including a supprising number of our distributors.  Users actually using this
> functionality will find that they can achive almost the same effect by creative
> use of 'stunnel' both as an inetd wrapper as as a 'LIBSMB_PROG' program.

> Finally, it is intrusive and ugly, with large #ifdef sections in what should
> be simple code.

> If sombody can come up with both reasons to keep this code, and time to 
> maintain it, then I would like to hear it.

Though I don't object to --with-ssl's presence if someone is willing to
maintain it, there are a variety of reasons why Debian has never enabled
this option, and probably never will.  Having gotten past the obstacle
of US export law, it's now been pointed out[1] that the GPL does not
permit us as a distributor to ship GPLed binaries linked against OpenSSL
together with the OpenSSL libraries themselves; unless all copyright
holders in Samba are willing to grant an explicit exemption for linking
with OpenSSL, Debian is not willing to expose itself or its mirror
operators to the legal risk.

Assuming everyone was ok with the legal minutiae, we would still have to
decide if SSL was really worth enabling.  I've always been lukewarm
about this option, because setting up an SSL tunnel on the Unix side has
always been the /easy/ part: it's configuring all of your Windows
clients (of varying flavors) to use SSL for SMB connections that takes
doing.  So the savings of having SSL support compiled into Samba are
minimal, but the potential headaches are numerous.  I'd almost say you'd 
be doing users a favor by removing this option.

Steve Langasek
postmodern programmer

[1] http://lists.debian.org/debian-devel/2002/debian-devel-200203/msg01569.html et al.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020503/44ec1e21/attachment.bin

More information about the samba-technical mailing list