We need to rework "allow weak crypto" mode in Samba

Andrew Bartlett abartlet at samba.org
Fri Mar 18 19:09:21 UTC 2022 

Fair enough, and largely my point. Samba doesn't really have a FIPS
mode (given it is applied inconsistently), we have a "allow weak
crypto" switch currently controlled by the GnuTLS detection of the
system FIPS
mode.   
We should have better global control of weaker crypto, to allow
organisational policy guides to be written, that is beyond the
GnuTLSFIPS mode.
Andrew,
On Fri, 2022-03-18 at 21:00 +0200, Aleksandar Kostadinov wrote:
> It is good for samba to have some switch for enabling only secure
> algorithms. But I don't think it has to be implemented by the FIPS
> mode. Some newer secure ciphers can yet be unaccepted in a FIPS
> standard. FIPS doesn't mean highest security. It just means the FIPS
> standard.
> 
> On Fri, Mar 18, 2022 at 8:36 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
> > Correct, Samba can't be FIPS compliant, but we can avoid using
> > known
> > 
> > poor cryptography not for certification purposes, but for sensible
> > 
> > 'secure by default' or at least 'can be configured to be sensibly
> > 
> > secure' design principles. 
> > 
> > 
> > 
> > Just as you wouldn't offer SSLv3 even when the host is not FIPS-140
> > 
> > certified.
> > 
> > 
> > 
> > Samba's CI system runs on a Ubuntu 20.04 base for the majority of
> > the
> > 
> > tests (as mentioned, we run a tiny number of tests in a Fedora 35
> > 
> > environment to test "FIPS mode"), but most importantly the final
> > 
> > autobuild is under the Ubuntu 20.04 platform, so we should ensure
> > that
> > 
> > our tests are run there when possible.
> > 
> > 
> > 
> > I'm quite disappointed at the "FIPS mode" in GnuTLS is optional in
> > this
> > 
> > way - also denying any application or administrator the opportunity
> > to
> > 
> > opt out of weak ciphers on a per-app basis - but that is life.
> > 
> > 
> > 
> > Andrew Bartlett
> > 
> > 
> > 
> > On Fri, 2022-03-18 at 12:07 +0200, Aleksandar Kostadinov via samba-
> > 
> > technical wrote:
> > 
> > > How can samba be FIPS compliant on a non-FIPS compliant operating
> > system?
> > 
> > > Might be easier to just run the tests in a FIPS compliant
> > environment.
> > 
> > 
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

More information about the samba-technical mailing list