[Samba] Samba 4 - disabling SSLv3 to mitigate POODLE effects

Harry Jede walk2sun at arcor.de
Sat Nov 15 05:55:05 MST 2014


On 13:46:29 wrote Andrew Bartlett:
> On Tue, 2014-11-04 at 11:07 +0000, Chris Alavoine wrote:
> > Hi all,
> > 
> > Am trying to find a way to disable SSLv3 protocol in smb.conf on
> > Samba4.
> > 
> > I am using the following:
> >         tls enabled  = yes
> >         tls keyfile  = tls/myKey.pem
> >         tls certfile = tls/myCert.pem
> >         tls cafile   =
> > 
> > With a self-signed cert.
> > 
> > But when I remote connect from another host using:
> > 
> > openssl s_client -showcerts -connect samba4-dc:636 -ssl3
> > 
> > I get a successful connection.
> > 
> > Any ideas?
> 
> It would be up to whatever GNUTLS supports.
> 
> I agree we should fix it (and any clues as to how to - form the C
> code - control the SSL stuff so we can expose it in a smb.conf
> option most welcome)
I think if we can get an option like "--priority" from "gnutls-serv" 
then one can set the ciphers, macs, algos, ...

and we need a "--dhparams" option.

> , but my understanding is that this attack is
> much less feasible on LDAP:
> https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj
> /#comment-6703


-- 

Regards
	Harry Jede


More information about the samba mailing list