[PATCH] security hole in Samba 3.0 start tls handling

Steve Langasek vorlon at netexpress.net
Tue Oct 29 23:26:00 GMT 2002

On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:

> > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> > somewhat diluted.  First, the start tls command is only ever issued if
> > the given ldapsam URI has a protocol string of ldaps://, which is
> > definitely an issue -- TLS is quite a different protocol from SSL, and
> > the whole point of TLS is to NOT use a separate port for SSL
> > connections.  Second, the STARTTLS support is completely disabled if
> > using newer versions of the OpenLDAP client libs, resulting in the
> > ldap ssl option being *silently* ignored to the detriment of SAM
> > security.

> > A workaround for existing systems is to use ldaps instead of tls.  The
> > attached patch against SAMBA_3_0 will add support for STARTTLS when
> > using OpenLDAP libs.  The muddled interaction between TLS and SSL is
> > not addressed.

> Hmm - I had hoped that we could specify as much information in that URL
> as possible...

> Is there no way to indicate this in the URL?

No, no more than you can indicate SASL preferences in a URL.  You
*could* embed this information in a URI string, but there would be
nothing particularly standard about this, and the LDAP libraries are
unlikely to understand them -- so Samba will still have to parse these
components out of the URL and handle them directly.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021029/260071a3/attachment.bin

More information about the samba-technical mailing list