GNOME Bugzilla – Bug 790711
smb: Use encryption if the server supports it
Last modified: 2018-09-21 18:16:21 UTC
.
Created attachment 364191 [details] [review] smb: Use encryption if the server supports it
Review of attachment 364191 [details] [review]: It obviously works according "encrypt SMB2 message" and "decrypt SMB2 message" from debug log and should not fail in case of encryption can't be negotiated as per the comment from: https://github.com/samba-team/samba/blob/master/source3/libsmb/libsmb_server.c#L624 /* * context->smb_encryption_level == 1 * means don't fail if encryption can't be negotiated, * == 2 means fail if encryption can't be negotiated. */ However, it seems it could significantly affect the performance in some cases according to some google results, e.g.: https://askubuntu.com/questions/716903/smb-encryption-for-connection-from-internet http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-EF158266-85EE-4648-8D0F-6F80F0E13DCA.html My understanding is that it is currently encrypted if the server requires it independently of smbc_setOptionSmbEncryptionLevel, so I am not sure whether it wouldn't be better to let this on server configuration and do not require it mandatory from client... Did you test performance impact in your case?
I only tested that I could still connect to my NAS, that's it. I think it's also what we should be using by default, if the server supports it. If the performance drops too low, then it would mean 1) the server is too slow, in which case it should disable encryption or it's required and that's what you get, or 2) the client is too slow, and then we can file bugs against libsmbclient, and cross our fingers they get looked at.
I've tested transfer of 3GB file on localhost and speed is half with enabled encryption (31MBps vs 16MBps), similar result for smbget (39MBps vs 18MBps), check the transfer speed with your NAS please... and possibly file bug for libsmbclient.
Speed went from 26-27 MB/s to around 8-9 MB/s with encryption being the only difference. Filed https://bugzilla.samba.org/show_bug.cgi?id=13163
Hmm, my laptop has different load after restart and I see currently: +- 25MBps with encryption +- 50MBps with encryption and --accel-aes=intelaesni +- 100MBps without encryption So, I don't know... samba is mostly used on internal networks, where encryption isn't needed. And public accessible servers should be configured properly and require encryption...
(In reply to Ondrej Holy from comment #6) > Hmm, my laptop has different load after restart and I see currently: > +- 25MBps with encryption > +- 50MBps with encryption and --accel-aes=intelaesni > +- 100MBps without encryption > > So, I don't know... samba is mostly used on internal networks, where > encryption isn't needed. And public accessible servers should be configured > properly and require encryption... I'll file a PR to add the acceleration to the Fedora package. Can you think of a way that users that care about the encryption but have a server that allows both (for example, a server that serves both internal or external clients) to force using encryption? My initial idea was to use a different URI scheme, but there's no separate declared URI scheme for secure/encrypted smb. Any other ideas?
(In reply to Bastien Nocera from comment #7) > ... > > I'll file a PR to add the acceleration to the Fedora package. Can you think Thanks! > of a way that users that care about the encryption but have a server that > allows both (for example, a server that serves both internal or external > clients) to force using encryption? I suppose that you can use "hosts allow/deny", and "interfaces" options to limit access to certain shares... > My initial idea was to use a different URI scheme, but there's no separate > declared URI scheme for secure/encrypted smb. Any other ideas? Although I like that idea, I am not super happy about adding some nonstandardized schemes, but I suppose that not all schemes used by gvfs are standardized e.g. dav, davs, dav+sd... so something like smb+encryption might be the way. Or maybe we can provide gsettings key for it in org.gnome.system.smb schema. It would be also possible to invoke ask-question signal over mount operation, but that would be super annoying...
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gvfs/issues/321.