Rowland Penny
2022-May-27 19:16 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:> So, pardon me, if this feels like thread hijack - but I get this > message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) > my DC's and the tests show that the DC's/servers are allowing weak > crypto too.Not strictly true, from my understanding, Samba falls back to weak crypto because that is all that gnutls on the OS allows, you cannot override this. Rowland
Gregory Sloop
2022-May-27 19:29 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
> On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:>> So, pardon me, if this feels like thread hijack - but I get this >> message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) >> my DC's and the tests show that the DC's/servers are allowing weak >> crypto too.> Not strictly true, from my understanding, Samba falls back to weak > crypto because that is all that gnutls on the OS allows, you cannot > override this.> RowlandSo, then to triple clairify, there's no way/not-possible to tell GNUTLS not to allow that?? (Or are you saying that telling us how is outside the scope of the Samba list?)? ? -Greg
Andrew Bartlett
2022-May-27 20:51 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
On Fri, 2022-05-27 at 20:16 +0100, Rowland Penny via samba wrote:> On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote: > > So, pardon me, if this feels like thread hijack - but I get this > > message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) > > my DC's and the tests show that the DC's/servers are allowing weak > > crypto too. > > Not strictly true, from my understanding, Samba falls back to weak > crypto because that is all that gnutls on the OS allows, you cannot > override this.It isn't so much 'fall back' as 'allow if required/requested by the client/server', and essentially applies to RC4 outside Kerberos (which is what the code checks if GnuTLS will allow). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba