1<HTML> 2<HEAD> 3<TITLE> 4[Appendix A] A.5 SSL Configuration Options</title><META NAME="DC.title" CONTENT=""><META NAME="DC.creator" CONTENT=""><META NAME="DC.publisher" CONTENT="O'Reilly & Associates, Inc."><META NAME="DC.date" CONTENT="1999-11-05T21:41:44Z"><META NAME="DC.type" CONTENT="Text.Monograph"><META NAME="DC.format" CONTENT="text/html" SCHEME="MIME"><META NAME="DC.source" CONTENT="" SCHEME="ISBN"><META NAME="DC.language" CONTENT="en-US"><META NAME="generator" CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"></head> 5<BODY BGCOLOR="#FFFFFF" TEXT="#000000" link="#990000" vlink="#0000CC"> 6<table BORDER="0" CELLPADDING="0" CELLSPACING="0" width="90%"> 7<tr> 8<td width="25%" valign="TOP"> 9<img hspace=10 vspace=10 src="gifs/samba.s.gif" 10alt="Using Samba" align=left valign=top border=0> 11</td> 12<td height="105" valign="TOP"> 13<br> 14<H2>Using Samba</H2> 15<font size="-1"> 16Robert Eckstein, David Collier-Brown, Peter Kelly 17<br>1st Edition November 1999 18<br>1-56592-449-5, Order Number: 4495 19<br>416 pages, $34.95 20</font> 21<p> <a href="http://www.oreilly.com/catalog/samba/">Buy the hardcopy</a> 22<p><a href="index.html">Table of Contents</a> 23</td> 24</tr> 25</table> 26<hr size=1 noshade> 27<!--sample chapter begins --> 28 29<center> 30<DIV CLASS="htmlnav"> 31<TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 32<TR> 33<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 34<A CLASS="sect1" HREF="appa_04.html" TITLE="A.4 Setting Up SSL Proxy"> 35<IMG SRC="gifs/txtpreva.gif" ALT="Previous: A.4 Setting Up SSL Proxy" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 36<B> 37<FONT FACE="ARIEL,HELVETICA,HELV,SANSERIF" SIZE="-1"> 38<A CLASS="appendix" REL="up" HREF="appa_01.html" TITLE="A. Configuring Samba with SSL"> 39Appendix A<br> 40Configuring Samba with SSL</a></font></b></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 41<A CLASS="appendix" HREF="appb_01.html" TITLE="B. Samba Performance Tuning"> 42<IMG SRC="gifs/txtnexta.gif" ALT="Next: B. Samba Performance Tuning" BORDER="0"></a></td></tr></table> <hr noshade size=1></center> 43</div> 44<blockquote> 45<div> 46<H2 CLASS="sect1"> 47<A CLASS="title" NAME="appa-pgfId-985845"> 48A.5 SSL Configuration Options</a></h2><P CLASS="para"> 49<A CLASS="xref" HREF="appa_05.html#appa-61150">Table A.1</a> summarizes the configuration options introduced in the previous section for using SSL. Note that all of these options are global in scope; in other words, they must appear in the <CODE CLASS="literal"> 50[global]</code> section of the configuration file. </p><br> 51<TABLE CLASS="table" BORDER="1" CELLPADDING="3"> 52<CAPTION CLASS="table"> 53<A CLASS="title" NAME="appa-61150"> 54Table A.1: SSL Configuration Options </a></caption><THEAD CLASS="thead"> 55<TR CLASS="row" VALIGN="TOP"> 56<TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 57<P CLASS="para"> 58Option</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 59<P CLASS="para"> 60Parameters</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 61<P CLASS="para"> 62Function</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 63<P CLASS="para"> 64Default</p></th><TH CLASS="entry" ALIGN="LEFT" ROWSPAN="1" COLSPAN="1"> 65<P CLASS="para"> 66Scope</p></th></tr></thead><TBODY CLASS="tbody"> 67<TR CLASS="row" VALIGN="TOP"> 68<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 69<P CLASS="para"> 70<CODE CLASS="literal"> 71ssl</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 72<P CLASS="para"> 73boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 74<P CLASS="para"> 75Indicates whether SSL mode is enabled with Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 76<P CLASS="para"> 77<CODE CLASS="literal"> 78no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 79<P CLASS="para"> 80Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 81<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 82<P CLASS="para"> 83<CODE CLASS="literal"> 84ssl hosts</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 85<P CLASS="para"> 86string (list of addresses)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 87<P CLASS="para"> 88Specifies a list of hosts that must always connect using SSL.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 89<P CLASS="para"> 90None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 91<P CLASS="para"> 92Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 93<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 94<P CLASS="para"> 95<CODE CLASS="literal"> 96ssl hosts resign</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 97<P CLASS="para"> 98string (list of addresses)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 99<P CLASS="para"> 100Specifies a list of hosts that never connect using SS.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 101<P CLASS="para"> 102None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 103<P CLASS="para"> 104Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 105<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 106<P CLASS="para"> 107<CODE CLASS="literal"> 108ssl CA certDir</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 109<P CLASS="para"> 110string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 111<P CLASS="para"> 112Specifies the directory where the certificates are stored.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 113<P CLASS="para"> 114None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 115<P CLASS="para"> 116Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 117<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 118<P CLASS="para"> 119<CODE CLASS="literal"> 120ssl CA certFile</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 121<P CLASS="para"> 122string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 123<P CLASS="para"> 124Specifies a file that contains all of the certificates for Samba.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 125<P CLASS="para"> 126None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 127<P CLASS="para"> 128Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 129<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 130<P CLASS="para"> 131<CODE CLASS="literal"> 132ssl server cert</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 133<P CLASS="para"> 134string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 135<P CLASS="para"> 136Specifies the location of the server's certificate.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 137<P CLASS="para"> 138None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 139<P CLASS="para"> 140Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 141<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 142<P CLASS="para"> 143<CODE CLASS="literal"> 144ssl server key</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 145<P CLASS="para"> 146string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 147<P CLASS="para"> 148Specifies the location of the server's private key.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 149<P CLASS="para"> 150None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 151<P CLASS="para"> 152Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 153<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 154<P CLASS="para"> 155<CODE CLASS="literal"> 156ssl client cert</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 157<P CLASS="para"> 158string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 159<P CLASS="para"> 160Specifies the location of the client's certificate.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 161<P CLASS="para"> 162None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 163<P CLASS="para"> 164Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 165<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 166<P CLASS="para"> 167<CODE CLASS="literal"> 168ssl client key</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 169<P CLASS="para"> 170string (fully-qualified pathname)</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 171<P CLASS="para"> 172Specifies the location of the client's private key.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 173<P CLASS="para"> 174None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 175<P CLASS="para"> 176Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 177<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 178<P CLASS="para"> 179<CODE CLASS="literal"> 180ssl require clientcert</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 181<P CLASS="para"> 182boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 183<P CLASS="para"> 184Indicates whether Samba should require each client to have a certificate.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 185<P CLASS="para"> 186<CODE CLASS="literal"> 187no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 188<P CLASS="para"> 189Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 190<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 191<P CLASS="para"> 192<CODE CLASS="literal"> 193ssl require servercert</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 194<P CLASS="para"> 195boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 196<P CLASS="para"> 197Indicates whether the server itself should have a certificate.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 198<P CLASS="para"> 199<CODE CLASS="literal"> 200no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 201<P CLASS="para"> 202Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 203<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 204<P CLASS="para"> 205<CODE CLASS="literal"> 206ssl ciphers</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 207<P CLASS="para"> 208String </p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 209<P CLASS="para"> 210Specifies the cipher suite to use during protocol negotiation.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 211<P CLASS="para"> 212None</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 213<P CLASS="para"> 214Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 215<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 216<P CLASS="para"> 217<CODE CLASS="literal"> 218ssl version</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 219<P CLASS="para"> 220<CODE CLASS="literal"> 221ssl2or3</code>, <CODE CLASS="literal"> 222ssl3</code>, or <CODE CLASS="literal"> 223tls1</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 224<P CLASS="para"> 225Specifies the version of SSL to use.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 226<P CLASS="para"> 227<CODE CLASS="literal"> 228ssl2or3</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 229<P CLASS="para"> 230Global</p></td></tr><TR CLASS="row" VALIGN="TOP"> 231<TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 232<P CLASS="para"> 233<CODE CLASS="literal"> 234ssl compatibility</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 235<P CLASS="para"> 236boolean</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 237<P CLASS="para"> 238Indicates whether compatibility with other implementations of SSL should be activated.</p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 239<P CLASS="para"> 240<CODE CLASS="literal"> 241no</code></p></td><TD CLASS="entry" ROWSPAN="1" COLSPAN="1"> 242<P CLASS="para"> 243Global</p></td></tr></tbody></table><DIV CLASS="sect2"> 244<H3 CLASS="sect2"> 245<A CLASS="title" NAME="appa-pgfId-986013"> 246A.5.1 ssl</a></h3><P CLASS="para"> 247This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is <CODE CLASS="literal"> 248no</code>. You can reset it as follows:</p><PRE CLASS="programlisting"> 249[global] 250 ssl = yes</pre><P CLASS="para"> 251Note that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.</p></div><DIV CLASS="sect2"> 252<H3 CLASS="sect2"> 253<A CLASS="title" NAME="appa-pgfId-986018"> 254A.5.2 ssl hosts</a></h3><P CLASS="para"> 255This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the <CODE CLASS="literal"> 256hosts</code> <CODE CLASS="literal"> 257allow</code> and the <CODE CLASS="literal"> 258hosts</code> <CODE CLASS="literal"> 259deny</code> configuration options. For example:</p><PRE CLASS="programlisting"> 260[global] 261 ssl = yes 262 ssl hosts = 192.168.220.</pre><P CLASS="para"> 263This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the <CODE CLASS="literal"> 264ssl</code> <CODE CLASS="literal"> 265hosts</code> <CODE CLASS="literal"> 266resign</code> option has been specified, and <CODE CLASS="literal"> 267ssl</code> is set to <CODE CLASS="literal"> 268yes</code>, Samba will allow only SSL connections from all clients.</p></div><DIV CLASS="sect2"> 269<H3 CLASS="sect2"> 270<A CLASS="title" NAME="appa-pgfId-986024"> 271A.5.3 ssl hosts resign</a></h3><P CLASS="para"> 272This option specifies the hosts that will <EM CLASS="emphasis"> 273not</em> be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the <CODE CLASS="literal"> 274hosts</code> <CODE CLASS="literal"> 275allow</code> and the <CODE CLASS="literal"> 276hosts</code> <CODE CLASS="literal"> 277deny</code> configuration options. For example:</p><PRE CLASS="programlisting"> 278[global] 279 ssl = yes 280 ssl hosts resign = 160.2.310. 160.2.320.</pre><P CLASS="para"> 281This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the <CODE CLASS="literal"> 282ssl</code> <CODE CLASS="literal"> 283hosts</code> option has been specified, and <CODE CLASS="literal"> 284ssl</code> is set to <CODE CLASS="literal"> 285yes</code>, Samba will allow only SSL connections from all clients.</p></div><DIV CLASS="sect2"> 286<H3 CLASS="sect2"> 287<A CLASS="title" NAME="appa-pgfId-986030"> 288A.5.4 ssl CA certDir</a></h3><P CLASS="para"> 289This option specifies the directory containing the certificate authority's certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:</p><PRE CLASS="programlisting"> 290[global] 291 ssl = yes 292 ssl hosts = 192.168.220. 293 ssl CA certDir = /usr/local/samba/cert</pre><P CLASS="para"> 294There is no default for this option. You can alternatively use the option <CODE CLASS="literal"> 295ssl</code> <CODE CLASS="literal"> 296CA</code> <CODE CLASS="literal"> 297certFile</code> if you wish to place all the certificate authority information in the same file.</p></div><DIV CLASS="sect2"> 298<H3 CLASS="sect2"> 299<A CLASS="title" NAME="appa-pgfId-986037"> 300A.5.5 ssl CA certFile</a></h3><P CLASS="para"> 301This option specifies a file that contains the certificate authority's certificates that Samba will use to authenticate clients. This option differs from <CODE CLASS="literal"> 302ssl</code> <CODE CLASS="literal"> 303CA</code> <CODE CLASS="literal"> 304certDir</code> in that there is only one file used for all the certificate authorities. An example of its usage follows:</p><PRE CLASS="programlisting"> 305[global] 306 ssl = yes 307 ssl hosts = 192.168.220. 308 ssl CA certFile = /usr/local/samba/cert/certFile</pre><P CLASS="para"> 309There is no default for this option. You can also use the option <CODE CLASS="literal"> 310ssl</code> <CODE CLASS="literal"> 311CA</code> <CODE CLASS="literal"> 312certDir</code> if you wish to have a separate file for each certificate authority that Samba trusts.</p></div><DIV CLASS="sect2"> 313<H3 CLASS="sect2"> 314<A CLASS="title" NAME="appa-pgfId-986044"> 315A.5.6 ssl server cert</a></h3><P CLASS="para"> 316This option specifies the location of the server's certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example: </p><PRE CLASS="programlisting"> 317[global] 318 ssl = yes 319 ssl hosts = 192.168.220. 320 ssl CA certFile = /usr/local/samba/cert/certFile 321 ssl server cert = /usr/local/samba/private/server.pem</pre><P CLASS="para"> 322There is no default for this option. Note that the certificate may contain the private key for the server.</p></div><DIV CLASS="sect2"> 323<H3 CLASS="sect2"> 324<A CLASS="title" NAME="appa-pgfId-986052"> 325A.5.7 ssl server key</a></h3><P CLASS="para"> 326This option specifies the location of the server's private key. You should ensure that the location of the file cannot be accessed by anyone other than <CODE CLASS="literal"> 327root</code>. For example:</p><PRE CLASS="programlisting"> 328[global] 329 ssl = yes 330 ssl hosts = 192.168.220. 331 ssl CA certFile = /usr/local/samba/cert/certFile 332 ssl server key = /usr/local/samba/private/samba.pem</pre><P CLASS="para"> 333There is no default for this option. Note that the private key may be contained in the certificate for the server. </p></div><DIV CLASS="sect2"> 334<H3 CLASS="sect2"> 335<A CLASS="title" NAME="appa-pgfId-986060"> 336A.5.8 ssl client cert</a></h3><P CLASS="para"> 337This option specifies the location of the client's certificate. The certificate may be requested by the Samba server with the <CODE CLASS="literal"> 338ssl</code> <CODE CLASS="literal"> 339require</code> <CODE CLASS="literal"> 340clientcert</code> option; the certificate is also used by <I CLASS="filename"> 341smbclient</i>. For example: </p><PRE CLASS="programlisting"> 342[global] 343 ssl = yes 344 ssl hosts = 192.168.220. 345 ssl CA certFile = /usr/local/samba/cert/certFile 346 ssl server cert = /usr/local/ssl/private/server.pem 347 ssl client cert= /usr/local/ssl/private/clientcert.pem</pre><P CLASS="para"> 348There is no default for this option. </p></div><DIV CLASS="sect2"> 349<H3 CLASS="sect2"> 350<A CLASS="title" NAME="appa-pgfId-986069"> 351A.5.9 ssl client key</a></h3><P CLASS="para"> 352This option specifies the location of the client's private key. You should ensure that the location of the file cannot be accessed by anyone other than <CODE CLASS="literal"> 353root</code>. For example:</p><PRE CLASS="programlisting"> 354[global] 355 ssl = yes 356 ssl hosts = 192.168.220. 357 ssl CA certDir = /usr/local/samba/cert/ 358 ssl server key = /usr/local/ssl/private/samba.pem 359 ssl client key = /usr/local/ssl/private/clients.pem</pre><P CLASS="para"> 360There is no default for this option. This option is only needed if the client has a certificate. </p></div><DIV CLASS="sect2"> 361<H3 CLASS="sect2"> 362<A CLASS="title" NAME="appa-pgfId-986078"> 363A.5.10 ssl require clientcert</a></h3><P CLASS="para"> 364This option specifies whether the client is required to have a certificate. The certificates listed with either the <CODE CLASS="literal"> 365ssl</code> <CODE CLASS="literal"> 366CA</code> <CODE CLASS="literal"> 367certDir</code> or the <CODE CLASS="literal"> 368ssl</code> <CODE CLASS="literal"> 369CA</code> <CODE CLASS="literal"> 370certFile</code> will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:</p><PRE CLASS="programlisting"> 371[global] 372 ssl = yes 373 ssl hosts = 192.168.220. 374 ssl CA certFile = /usr/local/samba/cert/certFile 375 ssl require clientcert = yes</pre><P CLASS="para"> 376We recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is <CODE CLASS="literal"> 377no</code>.</p></div><DIV CLASS="sect2"> 378<H3 CLASS="sect2"> 379<A CLASS="title" NAME="appa-pgfId-990571"> 380A.5.11 ssl require servercert</a></h3><P CLASS="para"> 381This option specifies whether the server is required to have a certificate. Again, this will be used by the <I CLASS="filename"> 382smbclient</i> program. The value of this option is a simple boolean. For example:</p><PRE CLASS="programlisting"> 383[global] 384 ssl = yes 385 ssl hosts = 192.168.220. 386 ssl CA certFile = /usr/local/samba/cert/certFile 387 ssl require clientcert = yes 388 ssl require servercert = yes</pre><P CLASS="para"> 389Although we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however, recommended. The default value for this option is <CODE CLASS="literal"> 390no</code>.</p></div><DIV CLASS="sect2"> 391<H3 CLASS="sect2"> 392<A CLASS="title" NAME="appa-pgfId-986095"> 393A.5.12 ssl ciphers</a></h3><P CLASS="para"> 394This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:</p><PRE CLASS="programlisting"> 395DEFAULT 396DES-CFB-M1 397NULL-MD5 398RC4-MD5 399EXP-RC4-MD5 400RC2-CBC-MD5 401EXP-RC2-CBC-MD5 402IDEA-CBC-MD5 403DES-CBC-MD5 404DES-CBC-SHA 405DES-CBC3-MD5 406DES-CBC3-SHA 407RC4-64-MD5 408NULL</pre><P CLASS="para"> 409It is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.</p></div><DIV CLASS="sect2"> 410<H3 CLASS="sect2"> 411<A CLASS="title" NAME="appa-pgfId-986097"> 412A.5.13 ssl version</a></h3><P CLASS="para"> 413This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is <CODE CLASS="literal"> 414ssl2or3</code>, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:</p><PRE CLASS="programlisting"> 415[global] 416 ssl version = ssl3</pre><P CLASS="para"> 417Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.</p></div><DIV CLASS="sect2"> 418<H3 CLASS="sect2"> 419<A CLASS="title" NAME="appa-pgfId-990580"> 420A.5.14 ssl compatibility</a></h3><P CLASS="para"> 421This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is moot and the variable should always be left at the default.</p></div></div></blockquote> 422<div> 423<center> 424<hr noshade size=1><TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 425<TR> 426<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 427<A CLASS="sect1" HREF="appa_04.html" TITLE="A.4 Setting Up SSL Proxy"> 428<IMG SRC="gifs/txtpreva.gif" ALT="Previous: A.4 Setting Up SSL Proxy" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 429<A CLASS="book" HREF="index.html" TITLE=""> 430<IMG SRC="gifs/txthome.gif" ALT="" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 431<A CLASS="appendix" HREF="appb_01.html" TITLE="B. Samba Performance Tuning"> 432<IMG SRC="gifs/txtnexta.gif" ALT="Next: B. Samba Performance Tuning" BORDER="0"></a></td></tr><TR> 433<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172">A.4 Setting Up SSL Proxy</td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 434<A CLASS="index" HREF="inx.html" TITLE="Book Index"> 435<IMG SRC="gifs/index.gif" ALT="Book Index" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 436B. Samba Performance Tuning</td></tr></table><hr noshade size=1></center> 437</div> 438 439<!-- End of sample chapter --> 440<CENTER> 441<FONT SIZE="1" FACE="Verdana, Arial, Helvetica"> 442<A HREF="http://www.oreilly.com/"> 443<B>O'Reilly Home</B></A> <B> | </B> 444<A HREF="http://www.oreilly.com/sales/bookstores"> 445<B>O'Reilly Bookstores</B></A> <B> | </B> 446<A HREF="http://www.oreilly.com/order_new/"> 447<B>How to Order</B></A> <B> | </B> 448<A HREF="http://www.oreilly.com/oreilly/contact.html"> 449<B>O'Reilly Contacts<BR></B></A> 450<A HREF="http://www.oreilly.com/international/"> 451<B>International</B></A> <B> | </B> 452<A HREF="http://www.oreilly.com/oreilly/about.html"> 453<B>About O'Reilly</B></A> <B> | </B> 454<A HREF="http://www.oreilly.com/affiliates.html"> 455<B>Affiliated Companies</B></A><p> 456<EM>© 1999, O'Reilly & Associates, Inc.</EM> 457</FONT> 458</CENTER> 459</BODY> 460</html> 461
