Bug 11076 - Disable SSLv3 to limit poodle effect
Disable SSLv3 to limit poodle effect
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.2.0rc4
All Linux
: P5 normal
: 4.3
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-27 07:55 UTC by Kelvin Yip
Modified: 2015-07-21 00:53 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kelvin Yip 2015-01-27 07:55:36 UTC
Nessus security scanner reported that samba 4.2rc4 was affected by poodle attack. (CVE-2014-3566) 

I suggest to add a parameter in smb.conf to specific ciphers like EXIM mail server. For configuration of exim, they use parameters like: tls_require_ciphers = SECURE128:-VERS-SSL3.0

Below link seems to be a reference of code to control GNUTLS 3.0: 
http://gnutls.org/manual/html_node/Priority-Strings.html

Would you please consider to fix this issue.
Comment 1 Andrew Bartlett 2015-01-27 09:20:03 UTC
Patches are welcome, as I said at https://lists.samba.org/archive/samba/2014-November/186849.html

Also, as I said there, all the information I have is that this attack is infeasible against LDAP, and additionally, there is no need for an attacker to actively intercept and manipulate the SSL negotiation if they can just present their own self-signed certificate, given so few LDAP clients, including our own, actually check it. 

Finally, SSLv3 downgrade is only possible in web browsers: http://nmav.gnutls.org/2014/10/what-about-poodle.html and the POODLE attack is infeasible against LDAP https://ludopoitou.wordpress.com/2014/10/16/poodle-ssl-bug-and-opendj/#comment-6703
Comment 2 Kelvin Yip 2015-01-28 05:07:31 UTC
(In reply to Andrew Bartlett from comment #1)
Andrew,

I understand your point of view. My problem is the auditor is complaining this issue, and I want to fix it.
I am new to development on Linux platform, and will study how to make a patch. Referring to document(http://linux.die.net/man/3/gnutls_set_default_priority), gnutls_set_default_priority is same as gnutls_priority_set_direct (session, "NORMAL", NULL);
So, I will try to change the source code in ./source4/lib/tls/tls.c and ./source4/lib/tls/tls_tstream.c 
from
TLSCHECK(gnutls_set_default_priority(tls->session));
to
TLSCHECK(gnutls_priority_set_direct(tls->session, "NORMAL:-VERS-SSL3.0", NULL));

I will try to compile it to see if it can work normally.

Thanks,
Kelvin Yip
Comment 3 Kelvin Yip 2015-01-29 05:59:25 UTC
(In reply to Kelvin Yip from comment #2)
I have done the following changes and the poodle attack from Nessus was gone and the samba server seems working normally.
vi ./source4/lib/tls/tls.c
Change from
TLSCHECK(gnutls_set_default_priority(tls->session));
TO
TLSCHECK(gnutls_priority_set_direct(tls->session, "NORMAL:-VERS-SSL3.0", NULL));

vi ./source4/lib/tls/tls_tstream.c
Change from
ret = gnutls_set_default_priority(tlss->tls_session);
TO
ret = gnutls_priority_set_direct(tlss->tls_session, "NORMAL:-VERS-SSL3.0", NULL);

I will try to make the parameters read from smb.conf and submit the patch. Can somebody give me some guideline to make a patch ?
Comment 4 Andrew Bartlett 2015-01-29 06:27:53 UTC
Addition of a parameter is done by adding the documentation (yes really!) as xml file like the others under docs-xml/smbdotconf and then filling in the table in lib/param/param_table.c

Hints on submitting patches are in
https://wiki.samba.org/index.php/Using_Git_for_Samba_Development

Let me know if you need any more help.

Thanks,

Andrew Bartlett
Comment 5 Kelvin Yip 2015-01-30 09:47:42 UTC
(In reply to Andrew Bartlett from comment #4)
Andrew,

After I study the samba source code, seems if I added the parameters tls_ciphers in docs-xml/smbdotconf and lib/param/param_table.c. The variable will be automatically generated as lpcfg_tls_ciphers, and if param/param.h is included. Then, I can read the variable as lpcfg_tls_ciphers. Is it correct ?
Comment 6 Andrew Bartlett 2015-01-30 10:05:02 UTC
(In reply to Kelvin Yip from comment #5)
Yes.
Comment 7 Mario 2015-07-08 09:40:41 UTC
hello guys

would be possible to add the patch in the next releases of samba 4.2.x? we have multiple users having the same issue and would be good to have the patch included in the master

thanks
Comment 8 Andrew Bartlett 2015-07-21 00:53:40 UTC
Patches for this are now in master at 06f378fa652e0ff3cb5aae1b30eee4f73b570664 and so will be in 4.3.