From owner-freebsd-arch@freebsd.org Tue Nov 27 19:22:33 2018 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4062D1158F47 for ; Tue, 27 Nov 2018 19:22:33 +0000 (UTC) (envelope-from gerard@seibercom.net) Received: from mail-yw1-xc43.google.com (mail-yw1-xc43.google.com [IPv6:2607:f8b0:4864:20::c43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A29688E850 for ; Tue, 27 Nov 2018 19:22:32 +0000 (UTC) (envelope-from gerard@seibercom.net) Received: by mail-yw1-xc43.google.com with SMTP id x2so9623288ywc.9 for ; Tue, 27 Nov 2018 11:22:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seibercom.net; s=google; h=date:from:to:cc:subject:message-id:in-reply-to:references:reply-to :organization:mime-version:content-transfer-encoding; bh=MXpP5iP8HYvqLZT5kEMbOwTJOuiKFd0T0MGH5ceD7PY=; b=IhudMD7aG/y85Zu2eSRt8OXjpw5p01i/CrULyAsdNIDLhmN/0/xK/61+JsSmG8pqt7 vqj5wnQieo+1mA5nUPLSP8FBL507CeF4YuHxEgk1FGo9exQzzofkcYxZICXXMR9ELDXm ki1ox7nVSsWxzqElDs1q6TNh0hl9ohAKaDZVc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:reply-to:organization:mime-version :content-transfer-encoding; bh=MXpP5iP8HYvqLZT5kEMbOwTJOuiKFd0T0MGH5ceD7PY=; b=oek7TyfGeIZbcX9JKDDfbz24W+Xxt94+DRCrmTmWc9W8CGVxco8WLVXDU1/YzMe6Br sDVBIt1rt+j0UxycYxIA6Ddu8NtNUASdcwcuoe99MZr1Df3OZXuhT/9n3G/1iGqH8RHq zN9MWHEcKm1UKx3WA/8JAtfxfGVPFKhd88ManaFwjE4OkeRlI9Ai89JbNzBTBf41O3fD 2QVPkEZs5DiqNTMwIdia0WOCh804f+EXNbv8G12TbTN3BCdnciEq58cr/hbhtDpeKAJM n75ZhZL/UT6dkxKR052X3/s4og0azTEwSuXawmFwB/uQRdDMcOJeFh7BY9jbL9a7QLxZ ZZBA== X-Gm-Message-State: AGRZ1gJBpwyfKCR5Cr6w35y00XQpIavx9rc1U5kgXRTRj3amjDSegYEE JD62pNKgB0azRnNT4x+B6EOC6A== X-Google-Smtp-Source: AJdET5fPt5iGYfbZylMkSUzxQ3nxK9p3cjaq2SASNnR6Ve1eQ7TM2lgrI0Sdu7ChqEpYwYGYic3ETQ== X-Received: by 2002:a81:ad27:: with SMTP id l39mr35686615ywh.301.1543346097270; Tue, 27 Nov 2018 11:14:57 -0800 (PST) Received: from scorpio.seibercom.net (cpe-174-109-225-250.nc.res.rr.com. [174.109.225.250]) by smtp.gmail.com with ESMTPSA id e194sm3412501ywa.85.2018.11.27.11.14.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Nov 2018 11:14:56 -0800 (PST) Received: from localhost (cpe-174-109-225-250.nc.res.rr.com [174.109.225.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: gerard@seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 434D4Z6kXGzTKB; Tue, 27 Nov 2018 14:14:54 -0500 (EST) Date: Tue, 27 Nov 2018 14:14:52 -0500 From: Gerard Seibert To: freebsd-arch@freebsd.org Cc: Yuri Pankov , Edward Napierala , Brooks Davis Subject: Re: Removal or updating of "mount_smbfs" from FreeBSD operating system Message-ID: <20181127141452.000043c7@seibercom.net> In-Reply-To: <20181127171459.GC52968@spindle.one-eyed-alien.net> References: <20181126121926.00007626@seibercom.net> <20181127171459.GC52968@spindle.one-eyed-alien.net> Reply-To: freebsd-arch@freebsd.org Organization: Seibercom NET X-Mailer: Claws Mail 3.17.1 (GTK+ 2.24.32; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: A29688E850 X-Spamd-Result: default: False [7.77 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[freebsd-arch@freebsd.org]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[seibercom.net:+]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(0.89)[ip: (7.70), ipnet: 2607:f8b0::/32(-1.78), asn: 15169(-1.38), country: US(-0.09)]; REPLYTO_EQ_TO_ADDR(5.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[250.225.109.174.zen.spamhaus.org : 127.0.0.10]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[seibercom.net]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_SPAM_SHORT(0.75)[0.748,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; DMARC_NA(0.00)[seibercom.net]; NEURAL_SPAM_MEDIUM(0.98)[0.977,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.66)[0.665,0]; RCVD_IN_DNSWL_NONE(0.00)[3.4.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; GREYLIST(0.00)[pass,body] X-Rspamd-Server: mx1.freebsd.org X-Spam: Yes X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 19:22:33 -0000 On Tue, 27 Nov 2018 17:14:59 +0000, Brooks Davis stated: >On Tue, Nov 27, 2018 at 07:55:54PM +0300, Yuri Pankov wrote: >> Edward Napierala wrote: >> > pon., 26 lis 2018 o 17:20 Gerard Seibert >> > napisa??(a): >> >> >> >> TO WHOM IT MAY CONCERN >> >> >> >> The ???SMBv1??? protocol is a security hazard and was depreciated by >> >> Microsoft in 2014. There is virtually no use for it anymore. >> >> >> >> The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which >> >> results in making it useless with newer versions of Microsoft???s >> >> operating systems, as well as other OS???s that have depreciated the >> >> use of SMBv1. >> >> >> >> I would like to suggest that FreeBSD do one of the following: >> >> >> >> 1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in >> >> versions 12.1 or 13. It is perhaps too late to get into FreeBSD 12. >> >> >> >> 2) Update ???mount_smbfs??? so that it is compatible with versions >> >> SMBv3 and greater. While "SMBv2" is not dead, it is definitely >> >> comatose. This would be a better idea if someone had the time to do >> >> it. >> > >> > FWIW, I believe SMBv3 is just a set of (largely optional) extensions to >> > SMBv2, not an entirely different protocol, like SMBv1 is. Which means, >> > any version that supports v3 is likely to also handle v2. >> > >> > There seems to be existing, working code in Nexenta, which is being >> > upstreamed to Illumos: >> > >> > https://www.illumos.org/issues/9735 >> > https://github.com/illumos/illumos-gate/pull/37 >> > >> > Their implementation descends from the one we have in base (and the one >> > from OSX, which also descends from FreeBSD), so it should be possible to >> > merge it. >> >> Yes, we have it working and tested pretty well. And that's exactly the >> reason I was asking if there's work in progress for smb2/3 client or not >> before even starting looking into porting the code. >> >> The problem here is that the code has grown library dependencies which >> are CDDL-licensed, which aren't easy to break (if at all), so if ported, >> it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's >> possible that Nexenta-authored code could be relicensed under BSDL (I'll >> have to ask, we already have a precedent with localedef), but sadly that >> doesn't cover everything. > >I think making this CDDL is fine. Certaintly better than failing to >support SMBv2/v3. > >-- Brooks SEE: https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.1.1 Particularly the section dealing with SMBv3.11. That is now the default in Win 10. It makes no sense to not support the latest version available. In fact, it would be counter-productive. SMB 3.1.1 was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher. -- Gerard