Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?
jra at samba.org
Wed Jul 31 18:39:04 UTC 2019
On Wed, Jul 31, 2019 at 04:25:55PM +1200, Andrew Bartlett via samba-technical wrote:
> I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
> GnuTLS version" for Andreas.
> The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD. I
> would prefer we just chose to rely on GnuTLS. 
> Duplicated code is bad, duplicated crypto code is particularly bad and
> I would really like to remove our existing duplicates rather than add
> Not only are we short on maintainece resources, we would also need to
> restructure our testuite to force a non-GnuTLS build to ensure we
> actually test this at all.
> In doing so I know many folks really like running current Samba (both
> as an AD DC and fileserver) on older enterprise distributions.
> In this case, RHEL 8, Ubuntu 16.04 and current debian stable
> all have GnuTLS versions later than 3.4.7.
> So, what do folks think? This would be for Samba 4.12 to be released
> in March 2020.
> To see how much can be removed, I'm exploring the idea in this WIP MR:
> Note, for CentOS 7 and earlier it may be possible to use
> Andrew Bartlett
>  Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
> requires AES-CMAC-128, but the impact would be far more constrained.
+1 from me. Moving to fewer Samba-supported crypto implementations
is a big win for long-term security and maintainability IMHO.
More information about the samba-technical