[Samba] TLS problems after 4.12 -> 4.14 update

L.P.H. van Belle belle at bazuin.nl
Mon Jun 7 06:47:38 UTC 2021 

Since your useing/testing certficates, always use the FQDN of the Server. 
Dont use : openssl s_client -showcerts -connect dc00:636 
Do use   : openssl s_client -showcerts -connect dc00.ad.lasthome.solace.krynn:636 


I also wonder, on that W10 VM, why you needed at add these SPN'.s
If the PC is domain joined, the SPN would in there already. 
And only HOST SPN added where i also see in the domain joined pc's 
RestrictedKrbHost/host.fqdn 
TERMSRV/host.fqdn 

The request is invalid.. Failed to set default priorities 
I suggest read this:  
https://passingcuriosity.com/2021/diffie-hellman-short-primes-disable/ 

Did you set in smb.conf the setting :  tls priority  
Where this is the smb.conf default: tls priority = NORMAL:-VERS-SSL3.0 

There you have examples how these are set (see also man smb.conf search : tls priority
https://gnutls.org/manual/html_node/Priority-Strings.html

And its up to you to validate where your using exacly. 
But most will be using or attempted to enforce TLSv1.2 since v1.1 and v1.0 are predicated. 

And one more extra question
Is this OS upgraded? If yes, veryfiy the default configs of the system 
That these not still in/using outdated settings. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Vincent S. Cojot via samba
> Verzonden: zondag 6 juni 2021 23:08
> Aan: sambalist
> Onderwerp: [Samba] TLS problems after 4.12 -> 4.14 update
> 
> 
> Hi everyone,
> 
> I recently upgraded my DCs (RHEL7.9) from 4.12.z to 4.14.5 and I just 
> noticed this:
> 
> [2021/06/06 16:21:01.074696,  0] 
> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
>    _tstream_tls_accept_send: TLS 
> ../../source4/lib/tls/tls_tstream.c:1300 - 
> The request is invalid.. Failed to set default priorities
> 
> I'm now unable to do the following successfully from either 
> RHEL7, RHEL8 
> or Fedora33:
> 
> ----------------------------------------------
> # openssl s_client -showcerts -connect dc00:636
> CONNECTED(00000003)
> 139945429780368:error:140790E5:SSL routines:ssl23_write:ssl 
> handshake failure:s23_lib.c:177:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 289 bytes
> ---
> ----------------------------------------------
> 
> It seems similar to what some people have experienced on 4.13 
> (and this 
> makes sense because I mostly skipped 4.13xz and went from 
> 4.12 to 4.14)
> https://lists.samba.org/archive/samba/2020-December/233594.html
> 
> I've been using self-signed certs and a trusted intermediate 
> CA for my AD 
> DC's but I now wonder if I've run into an issue using RHEL7.9 
> for my DCs.
> 
> My certs (on the DC itself) still verify fine:
> 
> #  openssl verify -CAfile 
> /etc/pki/ca-trust/source/anchors/KrynnCA.pem \
> -untrusted /etc/pki/ca-trust/source/anchors/KrynnADCA.pem \
> /var/lib/samba/private/tls/cert.pem
> /var/lib/samba/private/tls/cert.pem: OK
> 
> But it is the connection which doesn't seem to work anymore.. 
> Does anyone 
> have any idea about what's going on? Andrew Bartlett said he wasn't 
> experiencing the issue on RHEL7 on amazon and I wonder if I 
> could make it 
> work in place on plain RHEL here..
> 
> Any ideas, tips, workarounds? I first noticed this when 
> OpenShift started 
> being unable to auth my AD users after the update to 4.14.5 
> (for the two DCs).
> 
> Win10 endpoints don't seem to care too much and I hope it will keep 
> working but I'm a little worried.
> 
> Vincent
> 
> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,.
> _.,-*~'`^`'~*-,
> Vincent S. Cojot, Computer Engineering. STEP project. 
> _.,-*~'`^`'~*-,._.,-*~
> Ecole Polytechnique de Montreal, Comite Micro-Informatique. 
> _.,-*~'`^`'~*-,.
> Linux Xview/OpenLook resources page 
> _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ 
> coyote at NOSPAM4cojot.name
> 
> They cannot scare me with their empty spaces
> Between stars - on stars where no human race is
> I have it in me so much nearer home
> To scare myself with my own desert places.       - Robert Frost
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list