[Samba] gnutls 3.7.2 in https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/ ?
Sérgio Basto
sergio at serjux.com
Tue Oct 18 23:41:09 UTC 2022
On Mon, 2022-10-17 at 15:01 +0100, Sérgio Basto wrote:
> On Fri, 2022-10-14 at 16:45 -0700, Kris Lou via samba wrote:
> > >
> > > 2022/01/23 20:31:10.008619, 3]
> > > ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap
> > > open
> > > of
> > > secrets.ldb [2022/01/23 20:31:10.011317, 0]
> > > ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send
> > > )
> > > _tstream_tls_accept_send: TLS
> > > ../../source4/lib/tls/tls_tstream.c:1300 -
> > > The request is invalid.. Failed to set default priorities
> >
> >
> > I just encountered this with Tranquil.IT's 4.16.5 packages on
> > CentOS
> > 7 --
> > which also includes compat-gnutls37. As previously mentioned, it
> > seems to
> > break TLS and thus LDAPS, and probably more. This was not an issue
> > with
> > Samba 4.15.x/compat-gnutls34.
> >
> > After more digging [1] (among others), it appears that compat-
> > gnutls37
> > (both from the COPR [2] and Tranquil.IT) look for a systemwide
> > config
> > file
> > that doesn't exist and isn't created by the package --
> > /etc/crypto-policies/back-ends/gnutls.config.
> >
> > Creating this file (with Johannes' defaults [1] ) seems to fix this
> > issue.
> > It'd be nice if this were deployed with the package, but
> > considering
> > that
> > it seems to be a "system" config, there might be unintended
> > consequences.
> > (Perhaps using NORMAL[3]?)
> >
> > /etc/crypto-policies/backends/gnutls.config
> >
> > [priorities]
> > # Johannes Engel version
> > #SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> > # Or set to NORMAL as a reasonable default?
> > SYSTEM = NORMAL
> >
> > Hope this helps someone else with legacy systems ...
>
> Hi,
>
> Thank you for the report, indeed this a bug in backport gnutls 3.7
> from
> epel 8 to epel 7 .
> I hadn't enough time to review this I saw that I just commented out
> from gnutls spec #Requires: crypto-policies
> and maybe is just remove the line
> --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-
> ends/gnutls.config
more info , the build is done with --with-system-priority-
file=/etc/crypto-policies/back-ends/gnutls.config and --with-default-
priority-string="@SYSTEM"
reading
https://gnutls.org/manual/html_node/Priority-Strings.html#tab_003aprio_002dkeywords
and
https://gnutls.org/manual/html_node/System_002dwide-configuration-of-the-library.html
also from https://github.com/gnutls/gnutls/blob/master/configure.ac we
can see that with these two option the default dir is
/etc/gnutls/config or at run-time using the GNUTLS_SYSTEM_PRIORITY_FILE
environment variable.
default-priority-string by default is NORMAL
I can remove these to options but I don't know if it is a good choice ,
also we can backport crypto-policies package which is more work and I
don't know if it worth
Meanwhile I start the building of gnutls 3.7.6
I'd like have your opinion
Thank you
> >
> > -Kris
> >
> >
> > [1] https://lists.samba.org/archive/samba/2020-December/233651.html
> > [2]
> > https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
> > [3] https://gnutls.org/manual/html_node/Priority-Strings.html
> >
> >
> > Kris Lou
> > klou at themusiclink.net
> >
> >
> > >
>
--
Sérgio M. B.
More information about the samba
mailing list