Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?

Andrew Bartlett abartlet at
Wed Jul 31 04:25:55 UTC 2019

I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
GnuTLS version" for Andreas.

The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD.  I
would prefer we just chose to rely on GnuTLS. [1]

Duplicated code is bad, duplicated crypto code is particularly bad and
I would really like to remove our existing duplicates rather than add

Not only are we short on maintainece resources, we would also need to
restructure our testuite to force a non-GnuTLS build to ensure we
actually test this at all. 

In doing so I know many folks really like running current Samba (both
as an AD DC and fileserver) on older enterprise distributions. 

In this case, RHEL 8, Ubuntu 16.04 and current debian stable 
all have GnuTLS versions later than 3.4.7.

So, what do folks think?  This would be for Samba 4.12 to be released
in March 2020.

To see how much can be removed, I'm exploring the idea in this WIP MR:

Note, for CentOS 7 and earlier it may be possible to use

Andrew Bartlett

[1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
requires AES-CMAC-128, but the impact would be far more constrained.

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list