Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?
Nico Kadel-Garcia
nkadel at gmail.com
Wed Jul 31 05:37:10 UTC 2019
On Wed, Jul 31, 2019 at 1:33 AM Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> On Wed, Jul 31, 2019 at 12:27 AM Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> > I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
> > GnuTLS version" for Andreas.
> >
> > https://gitlab.com/samba-team/samba/merge_requests/669
> >
> > The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD. I
> > would prefer we just chose to rely on GnuTLS. [1]
> >
> > Duplicated code is bad, duplicated crypto code is particularly bad and
> > I would really like to remove our existing duplicates rather than add
> > more.
> >
> > Not only are we short on maintainece resources, we would also need to
> > restructure our testuite to force a non-GnuTLS build to ensure we
> > actually test this at all.
> >
> > In doing so I know many folks really like running current Samba (both
> > as an AD DC and fileserver) on older enterprise distributions.
> >
> > In this case, RHEL 8, Ubuntu 16.04 and current debian stable
> > all have GnuTLS versions later than 3.4.7.
> >
> > So, what do folks think? This would be for Samba 4.12 to be released
> > in March 2020.
> >
> > To see how much can be removed, I'm exploring the idea in this WIP MR:
> > https://gitlab.com/samba-team/samba/merge_requests/676
> >
> > Note, for CentOS 7 and earlier it may be possible to use
> > https://github.com/nkadel/compat-gnutls34-3.x-srpm
> >
> > Andrew Bartlett
I only repackage that, I didn't write it, Credit where it's due, and
quoting from the README.md there:
>>This is based on sergiomb2's work at
>>
>> https://github.com/sergiomb2/SambaAD
So Sergio gets credit. But I'm already using it for RHEL 7/CenbtOS 7.
I've done some very limited testing with RHEL 8, but am waiting for
CentOS 8 to finally be released to really test that.
> > [1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
> > requires AES-CMAC-128, but the impact would be far more constrained.
Fair enough. I'd say accept the requirement of a compatibility library
for older operating systems, and I'm glad Sergio did most of the work.
Nico Kadel-Garcia
More information about the samba-technical
mailing list