samba - Nov 2014 - Samba 4 - disabling SSLv3 to mitigate POODLE effects

Hi all,

Am trying to find a way to disable SSLv3 protocol in smb.conf on Samba4.

I am using the following:

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   
With a self-signed cert.

But when I remote connect from another host using:

openssl s_client -showcerts -connect samba4-dc:636 -ssl3

I get a successful connection.

Any ideas?

Thanks,
Chris.



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192

On 04/11/14 11:07, Chris Alavoine wrote:
> Hi all,
>
> Am trying to find a way to disable SSLv3 protocol in smb.conf on Samba4.
>
> I am using the following:
>
>          tls enabled  = yes
>          tls keyfile  = tls/myKey.pem
>          tls certfile = tls/myCert.pem
>          tls cafile   >
> With a self-signed cert.
>
> But when I remote connect from another host using:
>
> openssl s_client -showcerts -connect samba4-dc:636 -ssl3
>
> I get a successful connection.
>
> Any ideas?
>
> Thanks,
> Chris.
>
>
>
Hi, by my reading of 'man s_client', you have turned **off** ssl v3

        -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1,  
-no_tls1_2
            these options disable the use of certain SSL or TLS 
protocols. By
            default the initial handshake uses a method which should be
            compatible with all servers and permit them to use SSL v3, 
SSL v2
            or TLS as appropriate.

Rowland

On Tue, 2014-11-04 at 11:07 +0000, Chris Alavoine wrote:
> Hi all,
> 
> Am trying to find a way to disable SSLv3 protocol in smb.conf on Samba4.
> 
> I am using the following:
> 
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   > 
> With a self-signed cert.
> 
> But when I remote connect from another host using:
> 
> openssl s_client -showcerts -connect samba4-dc:636 -ssl3
> 
> I get a successful connection.
> 
> Any ideas?
It would be up to whatever GNUTLS supports.

I agree we should fix it (and any clues as to how to - form the C code -
control the SSL stuff so we can expose it in a smb.conf option most
welcome), but my understanding is that this attack is much less feasible
on LDAP:
https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj/#comment-6703

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba