Gregory Sloop
2022-May-27 19:29 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
> On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:>> So, pardon me, if this feels like thread hijack - but I get this >> message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) >> my DC's and the tests show that the DC's/servers are allowing weak >> crypto too.> Not strictly true, from my understanding, Samba falls back to weak > crypto because that is all that gnutls on the OS allows, you cannot > override this.> RowlandSo, then to triple clairify, there's no way/not-possible to tell GNUTLS not to allow that?? (Or are you saying that telling us how is outside the scope of the Samba list?)? ? -Greg
Rowland Penny
2022-May-27 19:46 UTC
[Samba] "weak crypto is allowed"--The thread to end all threads
On Fri, 2022-05-27 at 12:29 -0700, Gregory Sloop via samba wrote:> > On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote: > > > So, pardon me, if this feels like thread hijack - but I get this > > > message too, and though I'm on Ubuntu, I've vuln-tested > > > (Greenbone) > > > my DC's and the tests show that the DC's/servers are allowing > > > weak > > > crypto too. > > Not strictly true, from my understanding, Samba falls back to weak > > crypto because that is all that gnutls on the OS allows, you cannot > > override this. > > Rowland > > So, then to triple clairify, there's no way/not-possible to tell > GNUTLS not to allow that? > (Or are you saying that telling us how is outside the scope of the > Samba list?) > > -GregAs far as I am aware, the crypto that can be used, is dependent on the OS gnutls. If it can only do weak crypto, then Samba will 'fall' back to this 'weak' crypto. There is nothing you can do to stop this, as it all depends on gnutls, Samba cannot make gnutls use a crypto it knows nothing about. If I am understanding this incorrectly, then I am sure Andrew will jump in. There is a bit of a discussion going on here: https://gitlab.com/samba-team/samba/-/merge_requests/2537 It seems the message is a bit misleading, it isn't that weak crypto is being allowed, it is that Samba is falling back to weak crypto for compatibility purposes. Rowland