| 1 | <samba:parameter name="tls verify peer"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="enum"
|
|---|
| 4 | enumlist="enum_tls_verify_peer_vals"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 | <para>This controls if and how strict the client will verify the peer's certificate and name.
|
|---|
| 8 | Possible values are (in increasing order):
|
|---|
| 9 | <constant>no_check</constant>,
|
|---|
| 10 | <constant>ca_only</constant>,
|
|---|
| 11 | <constant>ca_and_name_if_available</constant>,
|
|---|
| 12 | <constant>ca_and_name</constant>
|
|---|
| 13 | and
|
|---|
| 14 | <constant>as_strict_as_possible</constant>.</para>
|
|---|
| 15 |
|
|---|
| 16 | <para>When set to <constant>no_check</constant> the certificate is not verified at
|
|---|
| 17 | all, which allows trivial man in the middle attacks.
|
|---|
| 18 | </para>
|
|---|
| 19 |
|
|---|
| 20 | <para>When set to <constant>ca_only</constant> the certificate is verified to
|
|---|
| 21 | be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
|
|---|
| 22 | Setting <smbconfoption name="tls ca file"/> to a valid file is required.
|
|---|
| 23 | The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
|
|---|
| 24 | option is configured, the certificate is also verified against the ca crl.
|
|---|
| 25 | </para>
|
|---|
| 26 |
|
|---|
| 27 | <para>When set to <constant>ca_and_name_if_available</constant> all checks from
|
|---|
| 28 | <constant>ca_only</constant> are performed. In addition, the peer hostname is verified
|
|---|
| 29 | against the certificate's name, if it is provided by the application layer and
|
|---|
| 30 | not given as an ip address string.
|
|---|
| 31 | </para>
|
|---|
| 32 |
|
|---|
| 33 | <para>When set to <constant>ca_and_name</constant> all checks from
|
|---|
| 34 | <constant>ca_and_name_if_available</constant> are performed.
|
|---|
| 35 | In addition the peer hostname needs to be provided and even an ip
|
|---|
| 36 | address is checked against the certificate's name.
|
|---|
| 37 | </para>
|
|---|
| 38 |
|
|---|
| 39 | <para>When set to <constant>as_strict_as_possible</constant> all checks from
|
|---|
| 40 | <constant>ca_and_name</constant> are performed. In addition the
|
|---|
| 41 | <smbconfoption name="tls crl file"/> needs to be configured.
|
|---|
| 42 | Future versions of Samba may implement additional checks.
|
|---|
| 43 | </para>
|
|---|
| 44 | </description>
|
|---|
| 45 |
|
|---|
| 46 | <value type="default">as_strict_as_possible</value>
|
|---|
| 47 | </samba:parameter>
|
|---|
