Project

General

Profile

Actions

Feature #13914

open

smbd encrypt_cipher property should list enabled ciphers explicitly

Added by Alexander Stetsenko 7 months ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Category:
cifs - CIFS server and client
Start date:
2021-06-29
Due date:
% Done:

90%

Estimated time:
Difficulty:
Medium
Tags:
smb, smf
Gerrit CR:

Description

Currently, we support 2 encryption ciphers: AES-128-CCM and AES-128-GCM. There are 2 corresponding options for smbd/encrypt_cipher property: aes128-ccm and aes128-gcm. If aes128-ccm option is chosen, AES128-CCM is the only allowed cipher. When aes128-gcm is set, both ciphers are enabled. There is no way to disable aes128-ccm.
Latest SMB specification adds other 2 ciphers: AES-256-CCM and AES-256-GCM, and it becomes more clear that we have to change the approach for encryp_cipher property. Probably, we should list enabled ciphers explicitly.

The new approach would set up the property such way: smbd/encrypt_cipher="<cipher_1>[,<cipher_k>,<cipher_n>]". If it is not set (empty) then all ciphers would be enabled.


Related issues

Related to illumos gate - Bug #14046: Windows Server 2022 and Windows 11 cannot connect to SMB shareClosedAndy Fiddaman

Actions
Blocks illumos gate - Feature #14047: Add support for SMB 3.1.1 AES-256In ProgressAlexander Stetsenko

Actions
Actions #1

Updated by Alexander Stetsenko 7 months ago

  • Subject changed from smbd encrypt_cipher property should list explicitly allowed ciphers to smbd encrypt_cipher property should list allowed ciphers explicitly
  • Status changed from New to In Progress
  • Start date set to 2021-06-29
  • % Done changed from 0 to 10
Actions #2

Updated by Alexander Stetsenko 7 months ago

  • Subject changed from smbd encrypt_cipher property should list allowed ciphers explicitly to smbd encrypt_cipher property should list enabled ciphers explicitly
  • % Done changed from 10 to 80
Actions #3

Updated by Electric Monk 7 months ago

  • Gerrit CR set to 1594
Actions #4

Updated by Andy Fiddaman 5 months ago

  • Related to Bug #14046: Windows Server 2022 and Windows 11 cannot connect to SMB share added
Actions #5

Updated by Joshua M. Clulow 4 months ago

Actions #6

Updated by Guenther Alka 3 months ago

A fix is quite urgent as seems to affect the new OSX v12 as well where a connect to server smb://ip no longer works after an update (cifs://ip is ok with smb1)

Actions #7

Updated by Alexander Stetsenko about 1 month ago

  • % Done changed from 80 to 90

The changes were tested manually on omnios based system. The smb/server
smbd/encrypt_cipher property was set to different combination of valid
encryption ciphers: aes128-ccm, aes128-gcm,all (which means both).

For example, tested: "aes128-ccm", "aes128-gcm", "aes128-ccm,
aes128-gcm", "all", "all, aes128-ccm", "all, aes128-gcm". Also, it was
tested with some invalid string values. In this case, the invalid values
were just ignored and there were no any valid string values, then the
default (aes128-gcm) cipher was selected.

The correctness of the selected protocol was checked using Wireshark on
Windows 10. If present in the list (either explicitly or as "all"
value), aes128-gcm cipher was selected.

Actions

Also available in: Atom PDF