From: Stefan Metzmacher Date: Wed, 16 Mar 2016 12:03:08 +0000 (+0100) Subject: CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible" X-Git-Tag: samba-4.2.10~143 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae4b827062649c2b2dfc24a95e735726793d30a4;p=thirdparty%2Fsamba.git CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible" BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy --- diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml index ce6897d3d93..4f47dd4db0d 100644 --- a/docs-xml/smbdotconf/security/tlsverifypeer.xml +++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml @@ -41,11 +41,7 @@ needs to be configured. Future versions of Samba may implement additional checks. - - Note that the default is likely to change from - no_check to as_strict_as_possible - with Samba 4.5. -no_check +as_strict_as_possible diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 0730d514da5..f6c2cfb8691 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2554,7 +2554,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600"); lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True"); - lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check"); + lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible"); lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index f5d5c53dc57..ee890b0aa49 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -834,7 +834,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.dcerpc_endpoint_servers = (const char **)str_list_make_v3(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); Globals.tls_enabled = true; - Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");