From ac25a8ac4fc314795f9a8a15a10d731e648deea7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Aug 2015 10:48:08 +1200 Subject: [PATCH] lib/tls: Ensure SSLv3 is disabled in the web server by default By calling gnutls_priority_set_direct() the behaviour should now match the LDAP server BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Signed-off-by: Andrew Bartlett Pair-programmed-with: Garming Sam --- source4/lib/tls/tls.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 46cd85c920c..0d9d3c986de 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -42,6 +42,7 @@ struct tls_params { gnutls_certificate_credentials x509_cred; gnutls_dh_params dh_params; bool tls_enabled; + const char *tls_priority; }; #endif @@ -390,6 +391,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * return params; } + params->tls_priority = lpcfg_tls_priority(lp_ctx); + if (!file_exist(cafile)) { char *hostname = talloc_asprintf(mem_ctx, "%s.%s", lpcfg_netbios_name(lp_ctx), @@ -499,6 +502,7 @@ struct socket_context *tls_init_server(struct tls_params *params, int ret; struct socket_context *new_sock; NTSTATUS nt_status; + const char *error_pos; nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock, SOCKET_TYPE_STREAM, @@ -527,7 +531,16 @@ struct socket_context *tls_init_server(struct tls_params *params, talloc_set_destructor(tls, tls_destructor); - TLSCHECK(gnutls_set_default_priority(tls->session)); + ret = gnutls_priority_set_direct(tls->session, + params->tls_priority, + &error_pos); + if (ret != GNUTLS_E_SUCCESS) { + DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", + __location__, gnutls_strerror(ret), error_pos)); + talloc_free(new_sock); + return NULL; + } + TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, params->x509_cred)); gnutls_certificate_server_set_request(tls->session, GNUTLS_CERT_REQUEST); -- 2.34.1