[PATCH] security hole in Samba 3.0 start tls handling
Steve Langasek
vorlon at netexpress.net
Tue Oct 29 23:26:00 GMT 2002
On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:
> > It appears that in Samba 3.0, the meaning of "ldap ssl = start tls" is
> > somewhat diluted. First, the start tls command is only ever issued if
> > the given ldapsam URI has a protocol string of ldaps://, which is
> > definitely an issue -- TLS is quite a different protocol from SSL, and
> > the whole point of TLS is to NOT use a separate port for SSL
> > connections. Second, the STARTTLS support is completely disabled if
> > using newer versions of the OpenLDAP client libs, resulting in the
> > ldap ssl option being *silently* ignored to the detriment of SAM
> > security.
> > A workaround for existing systems is to use ldaps instead of tls. The
> > attached patch against SAMBA_3_0 will add support for STARTTLS when
> > using OpenLDAP libs. The muddled interaction between TLS and SSL is
> > not addressed.
> Hmm - I had hoped that we could specify as much information in that URL
> as possible...
> Is there no way to indicate this in the URL?
No, no more than you can indicate SASL preferences in a URL. You
*could* embed this information in a URI string, but there would be
nothing particularly standard about this, and the LDAP libraries are
unlikely to understand them -- so Samba will still have to parse these
components out of the URL and handle them directly.
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021029/260071a3/attachment.bin
More information about the samba-technical
mailing list