[Samba] GnuTLS for samba-4.12.x on RHEL7 / CentOS 7: encourage or discourage?

Andreas Schneider asn at samba.org
Thu Jun 18 05:58:47 UTC 2020

On Thursday, 18 June 2020 06:11:18 CEST Andrew Bartlett via samba-technical 
> On Thu, 2020-06-18 at 04:46 +0100, Sérgio Basto via samba wrote:
> > On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:
> > > If we could get an even more modern version then we can consider
> > > removing even more duplicate in-house cryptography.
> > 
> > Thank you , glad to help .
> > 
> > You mean do compat-gnutls36 packages ? IIRC, already when I tried to
> > build gnutls-3.5, I found that we need to update and build many more
> > package dependencies ...
> Thanks for that extra information.  I wondered what the issue was.
> Now, the big question I wanted to ask you is this:
> It is one thing to give us a really big helping hand for development,
> but I wondered how comfortable are you with being the repository for a
> security-sensitive package being used significant number of production
> Samba sites?
> Do you have the resources to ensure that if GnuTLS issues a security
> advisory impacting GnuTLS 3.4 that you backport the patches?  I notice
> a number of issues here:  https://www.gnutls.org/security-new.html
> Or should we instead strongly discourage the use of Samba 4.12,
> particularly as an AD DC (because the LDAP server exposes TLS, which
> seems to be a more likely target), on RHEL7 / CentOS 7?
> (We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead).

You should upgrade to RHEL8 or CentOS8 which offers a modern GnuTLS library.

Especially because GnuTLS in RHEL8 will either be rebased to newer versions or 
patches will be backported required by Samba.


Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba mailing list