Feature #13914
closed
smbd encrypt_cipher property should list enabled ciphers explicitly
100%
Description
Currently, we support 2 encryption ciphers: AES-128-CCM and AES-128-GCM. There are 2 corresponding options for smbd/encrypt_cipher property: aes128-ccm and aes128-gcm. If aes128-ccm option is chosen, AES128-CCM is the only allowed cipher. When aes128-gcm is set, both ciphers are enabled. There is no way to disable aes128-ccm.
Latest SMB specification adds other 2 ciphers: AES-256-CCM and AES-256-GCM, and it becomes more clear that we have to change the approach for encryp_cipher property. Probably, we should list enabled ciphers explicitly.
The new approach would set up the property such way: smbd/encrypt_cipher="<cipher_1>[,<cipher_k>,<cipher_n>]". If it is not set (empty) then all ciphers would be enabled.
Related issues
Updated by Alexander Stetsenko almost 2 years ago
- Subject changed from smbd encrypt_cipher property should list explicitly allowed ciphers to smbd encrypt_cipher property should list allowed ciphers explicitly
- Status changed from New to In Progress
- Start date set to 2021-06-29
- % Done changed from 0 to 10
Updated by Alexander Stetsenko almost 2 years ago
- Subject changed from smbd encrypt_cipher property should list allowed ciphers explicitly to smbd encrypt_cipher property should list enabled ciphers explicitly
- % Done changed from 10 to 80
Updated by Andy Fiddaman almost 2 years ago
- Related to Bug #14046: Windows Server 2022 and Windows 11 cannot connect to SMB share added
Updated by Joshua M. Clulow over 1 year ago
- Blocks Feature #14047: Add support for SMB 3.1.1 AES-256 added
Updated by Guenther Alka over 1 year ago
A fix is quite urgent as seems to affect the new OSX v12 as well where a connect to server smb://ip no longer works after an update (cifs://ip is ok with smb1)
Updated by Alexander Stetsenko over 1 year ago
- % Done changed from 80 to 90
The changes were tested manually on omnios based system. The smb/server
smbd/encrypt_cipher property was set to different combination of valid
encryption ciphers: aes128-ccm, aes128-gcm,all (which means both).
For example, tested: "aes128-ccm", "aes128-gcm", "aes128-ccm,
aes128-gcm", "all", "all, aes128-ccm", "all, aes128-gcm". Also, it was
tested with some invalid string values. In this case, the invalid values
were just ignored and there were no any valid string values, then the
default (aes128-gcm) cipher was selected.
The correctness of the selected protocol was checked using Wireshark on
Windows 10. If present in the list (either explicitly or as "all"
value), aes128-gcm cipher was selected.
Updated by Electric Monk over 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
git commit dee7ba860656acbc12d71ef94c95f07396697c49
commit dee7ba860656acbc12d71ef94c95f07396697c49
Author: Alexander Stetsenko <alex.stetsenko@gmail.com>
Date: 2022-01-23T23:07:38.000Z
13914 smbd encrypt_cipher property should list enabled ciphers explicitly
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
Reviewed by: Andrew Stormont <andyjstormont@gmail.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>
Updated by