This controls if and how strict the client will verify the peer's certificate and name. Possible values are (in increasing order): no_check, ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
When set to no_check the certificate is not verified at all, which allows trivial man in the middle attacks.
When set to ca_only the certificate is verified to be signed from a ca specified in the option. Setting to a valid file is required. The certificate lifetime is also verified. If the option is configured, the certificate is also verified against the ca crl.
When set to ca_and_name_if_available all checks from ca_only are performed. In addition, the peer hostname is verified against the certificate's name, if it is provided by the application layer and not given as an ip address string.
When set to ca_and_name all checks from ca_and_name_if_available are performed. In addition the peer hostname needs to be provided and even an ip address is checked against the certificate's name.
When set to as_strict_as_possible all checks from ca_and_name are performed. In addition the needs to be configured. Future versions of Samba may implement additional checks.
|Registry Path||Software\Policies\Samba\smb_conf\tls verify peer|
|Value Name||tls verify peer|