Nessus security scanner reported that samba 4.2rc4 was affected by poodle attack. (CVE-2014-3566) I suggest to add a parameter in smb.conf to specific ciphers like EXIM mail server. For configuration of exim, they use parameters like: tls_require_ciphers = SECURE128:-VERS-SSL3.0 Below link seems to be a reference of code to control GNUTLS 3.0: http://gnutls.org/manual/html_node/Priority-Strings.html Would you please consider to fix this issue.
Patches are welcome, as I said at https://lists.samba.org/archive/samba/2014-November/186849.html Also, as I said there, all the information I have is that this attack is infeasible against LDAP, and additionally, there is no need for an attacker to actively intercept and manipulate the SSL negotiation if they can just present their own self-signed certificate, given so few LDAP clients, including our own, actually check it. Finally, SSLv3 downgrade is only possible in web browsers: http://nmav.gnutls.org/2014/10/what-about-poodle.html and the POODLE attack is infeasible against LDAP https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj/#comment-6703
(In reply to Andrew Bartlett from comment #1) Andrew, I understand your point of view. My problem is the auditor is complaining this issue, and I want to fix it. I am new to development on Linux platform, and will study how to make a patch. Referring to document(http://linux.die.net/man/3/gnutls_set_default_priority), gnutls_set_default_priority is same as gnutls_priority_set_direct (session, "NORMAL", NULL); So, I will try to change the source code in ./source4/lib/tls/tls.c and ./source4/lib/tls/tls_tstream.c from TLSCHECK(gnutls_set_default_priority(tls->session)); to TLSCHECK(gnutls_priority_set_direct(tls->session, "NORMAL:-VERS-SSL3.0", NULL)); I will try to compile it to see if it can work normally. Thanks, Kelvin Yip
(In reply to Kelvin Yip from comment #2) I have done the following changes and the poodle attack from Nessus was gone and the samba server seems working normally. vi ./source4/lib/tls/tls.c Change from TLSCHECK(gnutls_set_default_priority(tls->session)); TO TLSCHECK(gnutls_priority_set_direct(tls->session, "NORMAL:-VERS-SSL3.0", NULL)); vi ./source4/lib/tls/tls_tstream.c Change from ret = gnutls_set_default_priority(tlss->tls_session); TO ret = gnutls_priority_set_direct(tlss->tls_session, "NORMAL:-VERS-SSL3.0", NULL); I will try to make the parameters read from smb.conf and submit the patch. Can somebody give me some guideline to make a patch ?
Addition of a parameter is done by adding the documentation (yes really!) as xml file like the others under docs-xml/smbdotconf and then filling in the table in lib/param/param_table.c Hints on submitting patches are in https://wiki.samba.org/index.php/Using_Git_for_Samba_Development Let me know if you need any more help. Thanks, Andrew Bartlett
(In reply to Andrew Bartlett from comment #4) Andrew, After I study the samba source code, seems if I added the parameters tls_ciphers in docs-xml/smbdotconf and lib/param/param_table.c. The variable will be automatically generated as lpcfg_tls_ciphers, and if param/param.h is included. Then, I can read the variable as lpcfg_tls_ciphers. Is it correct ?
(In reply to Kelvin Yip from comment #5) Yes.
hello guys would be possible to add the patch in the next releases of samba 4.2.x? we have multiple users having the same issue and would be good to have the patch included in the master thanks
Patches for this are now in master at 06f378fa652e0ff3cb5aae1b30eee4f73b570664 and so will be in 4.3.