[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)

Michael Ledford michael at ledford.cc
Tue Feb 17 07:36:25 MST 2015

On Tue, Feb 17, 2015 at 9:18 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Tue, Feb 17, 2015 at 09:09:37AM -0500, Simo wrote:
>> On Tue, 2015-02-17 at 09:14 +0100, Volker Lendecke wrote:
>> > On Tue, Feb 17, 2015 at 11:56:01AM +1300, Andrew Bartlett wrote:
>> > > The latest unreleased version of GnuTLS seems to provide it.  Also, the
>> > > latest protocol version seems to use the GCM mode.
>> >
>> > It will take a couple of years before this trickles into the relevant
>> > distros. I think we need to drop GnuTLS then and look for something
>> > else. OpenSSL seems impossible because I don't think we can change our
>> > license. Another one that advertises HW support is libgcrypt then. Or
>> > for this special use case we might grow something on our own? This can't
>> > be rocket science.
>> Crypto is harder than rocket science, please let's not try to do our
>> own.
>> libgcrypt is also an option, but I wouldn't discard using OpenSSL, even
>> if it requires us to add an exception to the license. I do not think it
>> would be too hard. We changed license on parts of samba before, this is
>> not different.
> Ok, I believe then we should postpone this whole effort to the point
> when Debian and RHEL by default ship GnuTLS versions that do all we need.

That's a shame.

It looks like GnuTLS is aiming for a march release of 3.4
which as Andrew pointed out, thank you for looking I totally missed
it, does have the support needed.

Is there anything that could be done to move this forward in the meantime?


More information about the samba-technical mailing list