samba - Jun 2020 - GnuTLS for samba-4.12.x on RHEL7 / CentOS 7: encourage or discourage?

On Thu, 2020-06-18 at 04:46 +0100, S?rgio Basto via samba
wrote:
> On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:
> > If we could get an even more modern version then we can consider
> > removing even more duplicate in-house cryptography. 
> 
> Thank you , glad to help .
> 
> You mean do compat-gnutls36 packages ? IIRC, already when I tried to
> build gnutls-3.5, I found that we need to update and build many more
> package dependencies ...
Thanks for that extra information.  I wondered what the issue was.

Now, the big question I wanted to ask you is this:

It is one thing to give us a really big helping hand for development,
but I wondered how comfortable are you with being the repository for a
security-sensitive package being used significant number of production
Samba sites?

Do you have the resources to ensure that if GnuTLS issues a security
advisory impacting GnuTLS 3.4 that you backport the patches?  I notice
a number of issues here:  https://www.gnutls.org/security-new.html

Or should we instead strongly discourage the use of Samba 4.12,
particularly as an AD DC (because the LDAP server exposes TLS, which
seems to be a more likely target), on RHEL7 / CentOS 7?

(We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead).

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

On Thursday, 18 June 2020 06:11:18 CEST Andrew Bartlett via samba-technical 
wrote:
> On Thu, 2020-06-18 at 04:46 +0100, S?rgio Basto via samba wrote:
> > On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:
> > > If we could get an even more modern version then we can consider
> > > removing even more duplicate in-house cryptography.
> > 
> > Thank you , glad to help .
> > 
> > You mean do compat-gnutls36 packages ? IIRC, already when I tried to
> > build gnutls-3.5, I found that we need to update and build many more
> > package dependencies ...
> 
> Thanks for that extra information.  I wondered what the issue was.
> 
> Now, the big question I wanted to ask you is this:
> 
> It is one thing to give us a really big helping hand for development,
> but I wondered how comfortable are you with being the repository for a
> security-sensitive package being used significant number of production
> Samba sites?
> 
> Do you have the resources to ensure that if GnuTLS issues a security
> advisory impacting GnuTLS 3.4 that you backport the patches?  I notice
> a number of issues here:  https://www.gnutls.org/security-new.html
> 
> Or should we instead strongly discourage the use of Samba 4.12,
> particularly as an AD DC (because the LDAP server exposes TLS, which
> seems to be a more likely target), on RHEL7 / CentOS 7?
> 
> (We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead).
You should upgrade to RHEL8 or CentOS8 which offers a modern GnuTLS library.

Especially because GnuTLS in RHEL8 will either be rebased to newer versions or 
patches will be backported required by Samba.


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

El 18 de junio de 2020 1:58:47 GMT-04:00, Andreas Schneider via samba <samba
at lists.samba.org> escribi?:
>On Thursday, 18 June 2020 06:11:18 CEST Andrew Bartlett via
>samba-technical 
>wrote:
>> On Thu, 2020-06-18 at 04:46 +0100, S?rgio Basto via samba wrote:
>> > On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba
wrote:
>> > > If we could get an even more modern version then we can
consider
>> > > removing even more duplicate in-house cryptography.
>> > 
>> > Thank you , glad to help .
>> > 
>> > You mean do compat-gnutls36 packages ? IIRC, already when I tried
>to
>> > build gnutls-3.5, I found that we need to update and build many
>more
>> > package dependencies ...
>> 
>> Thanks for that extra information.  I wondered what the issue was.
>> 
>> Now, the big question I wanted to ask you is this:
>> 
>> It is one thing to give us a really big helping hand for development,
>> but I wondered how comfortable are you with being the repository for
>a
>> security-sensitive package being used significant number of
>production
>> Samba sites?
>> 
>> Do you have the resources to ensure that if GnuTLS issues a security
>> advisory impacting GnuTLS 3.4 that you backport the patches?  I
>notice
>> a number of issues here:  https://www.gnutls.org/security-new.html
>> 
>> Or should we instead strongly discourage the use of Samba 4.12,
>> particularly as an AD DC (because the LDAP server exposes TLS, which
>> seems to be a more likely target), on RHEL7 / CentOS 7?
>> 
>> (We would instead suggest that an upgrade to RHEL8 / CentOS 8
>instead).
>
>You should upgrade to RHEL8 or CentOS8 which offers a modern GnuTLS
>library.
>
>Especially because GnuTLS in RHEL8 will either be rebased to newer
>versions or 
>patches will be backported required by Samba.
>
>
>	Andreas
 Thank all for write me back (Sergio, Andrew, Andreas). Your suggetion, CentOS 8
will be.
 
This mean that all samba4 installed on CentOS 7 end with samba-4.11.x?  :-(

-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu