[Samba] "weak crypto is allowed"--The thread to end all threads
Andrew Bartlett
abartlet at samba.org
Fri May 27 20:51:32 UTC 2022
On Fri, 2022-05-27 at 20:16 +0100, Rowland Penny via samba wrote:
> On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:
> > So, pardon me, if this feels like thread hijack - but I get this
> > message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone)
> > my DC's and the tests show that the DC's/servers are allowing weak
> > crypto too.
>
> Not strictly true, from my understanding, Samba falls back to weak
> crypto because that is all that gnutls on the OS allows, you cannot
> override this.
It isn't so much 'fall back' as 'allow if required/requested by the
client/server', and essentially applies to RC4 outside Kerberos (which
is what the code checks if GnuTLS will allow).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list