[Samba] Samba 4 - disabling SSLv3 to mitigate POODLE effects
Harry Jede
walk2sun at arcor.de
Sat Nov 15 05:55:05 MST 2014
On 13:46:29 wrote Andrew Bartlett:
> On Tue, 2014-11-04 at 11:07 +0000, Chris Alavoine wrote:
> > Hi all,
> >
> > Am trying to find a way to disable SSLv3 protocol in smb.conf on
> > Samba4.
> >
> > I am using the following:
> > tls enabled = yes
> > tls keyfile = tls/myKey.pem
> > tls certfile = tls/myCert.pem
> > tls cafile =
> >
> > With a self-signed cert.
> >
> > But when I remote connect from another host using:
> >
> > openssl s_client -showcerts -connect samba4-dc:636 -ssl3
> >
> > I get a successful connection.
> >
> > Any ideas?
>
> It would be up to whatever GNUTLS supports.
>
> I agree we should fix it (and any clues as to how to - form the C
> code - control the SSL stuff so we can expose it in a smb.conf
> option most welcome)
I think if we can get an option like "--priority" from "gnutls-serv"
then one can set the ciphers, macs, algos, ...
and we need a "--dhparams" option.
> , but my understanding is that this attack is
> much less feasible on LDAP:
> https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj
> /#comment-6703
--
Regards
Harry Jede
More information about the samba
mailing list