Gregory Sloop
2022-May-27 19:05 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
So, pardon me, if this feels like thread hijack - but I get this message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) my DC's and the tests show that the DC's/servers are allowing weak crypto too. ? So, perhaps it would be useful for all of us, if someone would highlight the params for Samba that deal with crypto, and how (best-practices) they should be configured. ? I keep intending to address my DC's, but life happens - and so this thread caught my attention. ? John, if you want me to start a different thread, I'm glad to do so, but perhaps this would help us address both our concerns. ?:) ? -Greg ?> On Fri, 2022-05-27 at 16:48 +0100, John Ericsson via samba wrote:>> So people have been asking about this message for several years.>> It appears when I run "testparm". >> Some say its a bug (it is not)> There is a bug report for it: > https://bugzilla.samba.org/show_bug.cgi?id=14583>> Some say its not samba related but refers to the OS.> Yes, gnutls>> what I have not found is anyone saying "add this setting to smb.conf" >> and >> the message will go.> As far as I know, there isn't anything you can add.>> i am running vanilla rhel8 with crypto policies set to "future"> But do they allow falling back to weaker crypto ? Which is what the > message means.> Rowland
Rowland Penny
2022-May-27 19:16 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:> So, pardon me, if this feels like thread hijack - but I get this > message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) > my DC's and the tests show that the DC's/servers are allowing weak > crypto too.Not strictly true, from my understanding, Samba falls back to weak crypto because that is all that gnutls on the OS allows, you cannot override this. Rowland