samba - Jul 2015 - Samba 4 - disabling SSLv3 to mitigate POODLE effects

Good Day All

Sorry if this is a repeated email, but I need some information about how to
disable SSL on a Samba4.2.2 AD domain controller as the nessus scanner is
reporting the POODLE vulnerability and we are not allowed to have any of
that in our environment.

the nessus scan reports poodle vulnerability on all these ports:

443, 636, 3269

I had a look at previous posts but couldn't find a definitive answer

any help is highly appreciated.

Thank you
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic14574.gif)

I have file a bug and modified the source code to make samba4 do not use
SSLV3, but I am not able to make a patch to this.
https://bugzilla.samba.org/show_bug.cgi?id=11076

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Mario Pio Russo
Sent: Wednesday, July 08, 2015 4:48 PM
To: samba at lists.samba.org
Subject: [Samba] Samba 4 - disabling SSLv3 to mitigate POODLE effects


Good Day All

Sorry if this is a repeated email, but I need some information about how to
disable SSL on a Samba4.2.2 AD domain controller as the nessus scanner is
reporting the POODLE vulnerability and we are not allowed to have any of
that in our environment.

the nessus scan reports poodle vulnerability on all these ports:

443, 636, 3269

I had a look at previous posts but couldn't find a definitive answer

any help is highly appreciated.

Thank you
____________________________________________________________________________
_______________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution
Limited registered in Ireland with number 92815. Registered Office: IBM
House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic14574.gif)

Thanks Kelvin

I'm a bit confised tho, is this patch already avaiable? if yes, what is the
parameter that disable ssl into the smb.conf? Maybe the guys from
Enterprise samba have already included the patch into their releases so
it's just a maatter of enabling the flag.

I'm using sernet-samba-4.2.2

Thanks!
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic57151.gif)



From:	"Kelvin Yip" <kelvin at icshk.com>
To:	<samba at lists.samba.org>
Date:	08/07/2015 10:12
Subject:	Re: [Samba] Samba 4 - disabling SSLv3 to mitigate POODLE
            effects
Sent by:	samba-bounces at lists.samba.org



I have file a bug and modified the source code to make samba4 do not use
SSLV3, but I am not able to make a patch to this.
https://bugzilla.samba.org/show_bug.cgi?id=11076

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Mario Pio Russo
Sent: Wednesday, July 08, 2015 4:48 PM
To: samba at lists.samba.org
Subject: [Samba] Samba 4 - disabling SSLv3 to mitigate POODLE effects


Good Day All

Sorry if this is a repeated email, but I need some information about how to
disable SSL on a Samba4.2.2 AD domain controller as the nessus scanner is
reporting the POODLE vulnerability and we are not allowed to have any of
that in our environment.

the nessus scan reports poodle vulnerability on all these ports:

443, 636, 3269

I had a look at previous posts but couldn't find a definitive answer

any help is highly appreciated.

Thank you
____________________________________________________________________________

_______________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution
Limited registered in Ireland with number 92815. Registered Office: IBM
House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic14574.gif)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba