lib/tls: Ensure SSLv3 is disabled in the web server by default

By calling gnutls_priority_set_direct() the behaviour should now match the LDAP server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 46cd85c920ce75dc60ff5383eee30b1e069e713c..0d9d3c986de6734e4756a9ab70e3f136933c4bf1 100644 (file)
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -42,6 +42,7 @@ struct tls_params {
        gnutls_certificate_credentials x509_cred;
        gnutls_dh_params dh_params;
        bool tls_enabled;
+       const char *tls_priority;
 };
 #endif
 
@@ -390,6 +391,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
                return params;
        }
 
+       params->tls_priority = lpcfg_tls_priority(lp_ctx);
+
        if (!file_exist(cafile)) {
                char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
                                                 lpcfg_netbios_name(lp_ctx),
@@ -499,6 +502,7 @@ struct socket_context *tls_init_server(struct tls_params *params,
        int ret;
        struct socket_context *new_sock;
        NTSTATUS nt_status;
+       const char *error_pos;
 
        nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock,
                                           SOCKET_TYPE_STREAM,
@@ -527,7 +531,16 @@ struct socket_context *tls_init_server(struct tls_params *params,
 
        talloc_set_destructor(tls, tls_destructor);
 
-       TLSCHECK(gnutls_set_default_priority(tls->session));
+       ret = gnutls_priority_set_direct(tls->session,
+                                        params->tls_priority,
+                                        &error_pos);
+       if (ret != GNUTLS_E_SUCCESS) {
+               DEBUG(0,("TLS %s - %s.  Check 'tls priority' option at '%s'\n",
+                        __location__, gnutls_strerror(ret), error_pos));
+               talloc_free(new_sock);
+               return NULL;
+       }
+
        TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE,
                                        params->x509_cred));
        gnutls_certificate_server_set_request(tls->session, GNUTLS_CERT_REQUEST);