Bug 15675 - On the order of preference of encryption/signing algorithms
Summary: On the order of preference of encryption/signing algorithms
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.15.13
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-01 07:25 UTC by thisisnotmyprivateaddress
Modified: 2024-07-05 09:50 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description thisisnotmyprivateaddress 2024-07-01 07:25:43 UTC
It seems like if you specify a list of supported server/client signing/encryption algorithms in `{server,client} smb3 {signing,encryption} algorithms`, the server picks the left-most algorithm that is supported by the client.

I haven't tested all combinations (server, client, signing, encryption) but only `server smb3 encryption algorithms`, so, I might be wrong for the other cases.

Still, I see two issues with this approach:

1) The default algorithms lists (the ones listed in the manpages) seem to be sorted in ascending order of security. Thus, by default the server would pick the least secure algorithm.

2) The server should generally prefer the most secure algorithm in a list instead of relying on order, unless explicitely specified by the user.

At the very least, the order of preference should be explicitely stated in the manpages to avoid confusion.

I apologize in advance if I misunderstood the order of preference.

Best,
Jonathan
Comment 1 Stefan Metzmacher 2024-07-05 09:50:39 UTC
We aim to behave like Windows and there the server picks the
first supported algorithm the client proposed.

So the order only really matters in the client options.

On the client proposes the algorithms based on the performance impact
from the fastest to the slowest.