Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?
Andrew Bartlett
abartlet at samba.org
Wed Jul 31 04:25:55 UTC 2019
I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
GnuTLS version" for Andreas.
https://gitlab.com/samba-team/samba/merge_requests/669
The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD. I
would prefer we just chose to rely on GnuTLS. [1]
Duplicated code is bad, duplicated crypto code is particularly bad and
I would really like to remove our existing duplicates rather than add
more.
Not only are we short on maintainece resources, we would also need to
restructure our testuite to force a non-GnuTLS build to ensure we
actually test this at all.
In doing so I know many folks really like running current Samba (both
as an AD DC and fileserver) on older enterprise distributions.
In this case, RHEL 8, Ubuntu 16.04 and current debian stable
all have GnuTLS versions later than 3.4.7.
So, what do folks think? This would be for Samba 4.12 to be released
in March 2020.
To see how much can be removed, I'm exploring the idea in this WIP MR:
https://gitlab.com/samba-team/samba/merge_requests/676
Note, for CentOS 7 and earlier it may be possible to use
https://github.com/nkadel/compat-gnutls34-3.x-srpm
Andrew Bartlett
[1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
requires AES-CMAC-128, but the impact would be far more constrained.
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list