[Samba] "weak crypto is allowed"--The thread to end all threads

Rowland Penny rpenny at samba.org
Fri May 27 19:46:42 UTC 2022


On Fri, 2022-05-27 at 12:29 -0700, Gregory Sloop via samba wrote:
> > On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:
> > > So, pardon me, if this feels like thread hijack - but I get this
> > > message too, and though I'm on Ubuntu, I've vuln-tested
> > > (Greenbone)
> > > my DC's and the tests show that the DC's/servers are allowing
> > > weak
> > > crypto too.
> > Not strictly true, from my understanding, Samba falls back to weak
> > crypto because that is all that gnutls on the OS allows, you cannot
> > override this.
> > Rowland
> 
> So, then to triple clairify, there's no way/not-possible to tell
> GNUTLS not to allow that? 
> (Or are you saying that telling us how is outside the scope of the
> Samba list?) 
>  
> -Greg

As far as I am aware, the crypto that can be used, is dependent on the
OS gnutls. If it can only do weak crypto, then Samba will 'fall' back
to this 'weak' crypto. There is nothing you can do to stop this, as it
all depends on gnutls, Samba cannot make gnutls use a crypto it knows
nothing about.

If I am understanding this incorrectly, then I am sure Andrew will jump
in.

There is a bit of a discussion going on here:
https://gitlab.com/samba-team/samba/-/merge_requests/2537

It seems the message is a bit misleading, it isn't that weak crypto is
being allowed, it is that Samba is falling back to weak crypto for
compatibility purposes.

Rowland
  




More information about the samba mailing list