On 04/01, Tom Talpey wrote:
Is SMB2 really FIPS compliant? Even if it is, a server that doesn't support anything higher is obviously far out of date.
It's more that the crypto stuff used by SMB1 is *not* compliant. If SMB2 keeps using FIPS-approved hashing/crypto algorightms, I guess it makes it FIPS compliant, and the burden is on their end to disqualify older algorithms for their certification.
I think it would be better to recommend, or maybe even require, SMB3 here.
So, I've added a bit in the SECURITY section saying that mount.cifs doesn't enforce anything, and all crypto blocking/allowing is made on the kernel. Do you think we should? An informed user, with particular requirements, might want to use SMB2 *and* still be FIPS compliant, but we would be enforcing something (non-SMB3) that's not quite right. And if the kernel is not in FIPS mode, we should only inform the user, because we don't actually use/do any crypto computation in mount.cifs. Cheers, Enzo
