]> git.ipfire.org Git - thirdparty/cups.git/blame - cups/tlscheck.c
projects / thirdparty / cups.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Don't set maximum TLS version unless it is <max. Support TLS 1.3.
[thirdparty/cups.git] / cups / tlscheck.c
CommitLineData
79a37326 1/*
79a37326
MS		 2 * TLS check program for CUPS.
3 *
4f272af7 4 * Copyright 2007-2017 by Apple Inc.
79a37326
MS		 5 * Copyright 1997-2006 by Easy Software Products.
6 *
e3101897 7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
79a37326
MS		 8 */
9
10/*
11 * Include necessary headers...
12 */
13
14#include "cups-private.h"
15
16
58796d49
MS		 17#ifndef HAVE_SSL
18int main(void) { puts("Sorry, no TLS support compiled in."); return (1); }
19#else
20
bdc4056c
MS		 21/*
22 * Local functions...
23 */
24
25static void usage(void);
26
27
79a37326
MS		 28/*
29 * 'main()' - Main entry.
30 */
31
32int /* O - Exit status */
33main(int argc, /* I - Number of command-line arguments */
34 char *argv[]) /* I - Command-line arguments */
35{
bdc4056c 36 int i; /* Looping var */
79a37326 37 http_t *http; /* HTTP connection */
bdc4056c
MS		 38 const char *server = NULL; /* Hostname from command-line */
39 int port = 0; /* Port number */
073b3929
MS		 40 cups_array_t *creds; /* Server credentials */
41 char creds_str[2048]; /* Credentials string */
79a37326 42 const char *cipherName = "UNKNOWN";/* Cipher suite name */
bdc4056c 43 int dhBits = 0; /* Diffie-Hellman bits */
72b9a313 44 int tlsVersion = 0; /* TLS version number */
bdc4056c
MS		 45 char uri[1024], /* Printer URI */
46 scheme[32], /* URI scheme */
47 host[256], /* Hostname */
48 userpass[256], /* Username/password */
49 resource[256]; /* Resource path */
23abf279
MS		 50 int af = AF_UNSPEC, /* Address family */
51 tls_options = _HTTP_TLS_NONE,
bdc4056c 52 /* TLS options */
8f1fbdec
MS		 53 tls_min_version = _HTTP_TLS_1_0,
54 tls_max_version = _HTTP_TLS_MAX,
bdc4056c
MS		 55 verbose = 0; /* Verbosity */
56 ipp_t *request, /* IPP Get-Printer-Attributes request */
57 *response; /* IPP Get-Printer-Attributes response */
58 ipp_attribute_t *attr; /* Current attribute */
59 const char *name; /* Attribute name */
60 char value[1024]; /* Attribute (string) value */
61 static const char * const pattrs[] = /* Requested attributes */
79a37326 62 {
bdc4056c
MS		 63 "color-supported",
64 "compression-supported",
65 "document-format-supported",
66 "pages-per-minute",
67 "printer-location",
68 "printer-make-and-model",
69 "printer-state",
70 "printer-state-reasons",
71 "sides-supported",
72 "uri-authentication-supported",
73 "uri-security-supported"
74 };
75
79a37326 76
bdc4056c 77 for (i = 1; i < argc; i ++)
fb9d90d6 78 {
bdc4056c
MS		 79 if (!strcmp(argv[i], "--dh"))
80 {
81 tls_options |= _HTTP_TLS_ALLOW_DH;
82 }
4f272af7
MS		 83 else if (!strcmp(argv[i], "--no-cbc"))
84 {
85 tls_options |= _HTTP_TLS_DENY_CBC;
86 }
bdc4056c
MS		 87 else if (!strcmp(argv[i], "--no-tls10"))
88 {
8f1fbdec 89 tls_min_version = _HTTP_TLS_1_1;
bdc4056c 90 }
4f272af7
MS		 91 else if (!strcmp(argv[i], "--tls10"))
92 {
8f1fbdec
MS		 93 tls_min_version = _HTTP_TLS_1_0;
94 tls_max_version = _HTTP_TLS_1_0;
4f272af7 95 }
bdc4056c
MS		 96 else if (!strcmp(argv[i], "--rc4"))
97 {
98 tls_options |= _HTTP_TLS_ALLOW_RC4;
99 }
100 else if (!strcmp(argv[i], "--verbose") || !strcmp(argv[i], "-v"))
101 {
102 verbose = 1;
103 }
23abf279
MS		 104 else if (!strcmp(argv[i], "-4"))
105 {
106 af = AF_INET;
107 }
108 else if (!strcmp(argv[i], "-6"))
109 {
110 af = AF_INET6;
111 }
bdc4056c
MS		 112 else if (argv[i][0] == '-')
113 {
114 printf("tlscheck: Unknown option '%s'.\n", argv[i]);
115 usage();
116 }
117 else if (!server)
118 {
119 if (!strncmp(argv[i], "ipps://", 7))
120 {
121 httpSeparateURI(HTTP_URI_CODING_ALL, argv[i], scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
122 server = host;
123 }
124 else
125 {
126 server = argv[i];
127 strlcpy(resource, "/ipp/print", sizeof(resource));
128 }
129 }
130 else if (!port && (argv[i][0] == '=' || isdigit(argv[i][0] & 255)))
131 {
132 if (argv[i][0] == '=')
133 port = atoi(argv[i] + 1);
134 else
135 port = atoi(argv[i]);
136 }
fb9d90d6 137 else
bdc4056c
MS		 138 {
139 printf("tlscheck: Unexpected argument '%s'.\n", argv[i]);
140 usage();
141 }
fb9d90d6 142 }
79a37326 143
bdc4056c
MS		 144 if (!server)
145 usage();
146
147 if (!port)
148 port = 631;
149
8f1fbdec 150 _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
bdc4056c 151
23abf279 152 http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
79a37326
MS		 153 if (!http)
154 {
155 printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
156 return (1);
157 }
158
073b3929
MS		 159 if (httpCopyCredentials(http, &creds))
160 {
161 strlcpy(creds_str, "Unable to get server X.509 credentials.", sizeof(creds_str));
162 }
163 else
164 {
165 httpCredentialsString(creds, creds_str, sizeof(creds_str));
166 httpFreeCredentials(creds);
167 }
168
79a37326 169#ifdef __APPLE__
72b9a313 170 SSLProtocol protocol;
79a37326
MS		 171 SSLCipherSuite cipher;
172 char unknownCipherName[256];
173 int paramsNeeded = 0;
174 const void *params;
175 size_t paramsLen;
176 OSStatus err;
177
72b9a313
MS		 178 if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
179 {
180 printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
181 httpClose(http);
182 return (1);
183 }
184
185 switch (protocol)
186 {
187 default :
188 tlsVersion = 0;
189 break;
190 case kSSLProtocol3 :
191 tlsVersion = 30;
192 break;
193 case kTLSProtocol1 :
194 tlsVersion = 10;
195 break;
196 case kTLSProtocol11 :
197 tlsVersion = 11;
198 break;
199 case kTLSProtocol12 :
200 tlsVersion = 12;
201 break;
202 }
203
79a37326
MS		 204 if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
205 {
206 printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
207 httpClose(http);
208 return (1);
209 }
210
211 switch (cipher)
212 {
213 case TLS_NULL_WITH_NULL_NULL:
214 cipherName = "TLS_NULL_WITH_NULL_NULL";
215 break;
216 case TLS_RSA_WITH_NULL_MD5:
217 cipherName = "TLS_RSA_WITH_NULL_MD5";
218 break;
219 case TLS_RSA_WITH_NULL_SHA:
220 cipherName = "TLS_RSA_WITH_NULL_SHA";
221 break;
222 case TLS_RSA_WITH_RC4_128_MD5:
223 cipherName = "TLS_RSA_WITH_RC4_128_MD5";
224 break;
225 case TLS_RSA_WITH_RC4_128_SHA:
226 cipherName = "TLS_RSA_WITH_RC4_128_SHA";
227 break;
228 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
229 cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
230 break;
231 case TLS_RSA_WITH_NULL_SHA256:
232 cipherName = "TLS_RSA_WITH_NULL_SHA256";
233 break;
234 case TLS_RSA_WITH_AES_128_CBC_SHA256:
235 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
236 break;
237 case TLS_RSA_WITH_AES_256_CBC_SHA256:
238 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
239 break;
240 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
241 cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
242 paramsNeeded = 1;
243 break;
244 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
245 cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
246 paramsNeeded = 1;
247 break;
248 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
249 cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
250 paramsNeeded = 1;
251 break;
252 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
253 cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
254 paramsNeeded = 1;
255 break;
256 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
257 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
258 paramsNeeded = 1;
259 break;
260 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
261 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
262 paramsNeeded = 1;
263 break;
264 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
265 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
266 paramsNeeded = 1;
267 break;
268 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
269 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
270 paramsNeeded = 1;
271 break;
272 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
273 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
274 paramsNeeded = 1;
275 break;
276 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
277 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
278 paramsNeeded = 1;
279 break;
280 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
281 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
282 paramsNeeded = 1;
283 break;
284 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
285 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
286 paramsNeeded = 1;
287 break;
288 case TLS_DH_anon_WITH_RC4_128_MD5:
289 cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
290 paramsNeeded = 1;
291 break;
292 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
293 cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
294 paramsNeeded = 1;
295 break;
296 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
297 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
298 paramsNeeded = 1;
299 break;
300 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
301 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
302 paramsNeeded = 1;
303 break;
304 case TLS_PSK_WITH_RC4_128_SHA:
305 cipherName = "TLS_PSK_WITH_RC4_128_SHA";
306 break;
307 case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
308 cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
309 break;
310 case TLS_PSK_WITH_AES_128_CBC_SHA:
311 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
312 break;
313 case TLS_PSK_WITH_AES_256_CBC_SHA:
314 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
315 break;
316 case TLS_DHE_PSK_WITH_RC4_128_SHA:
317 cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
318 paramsNeeded = 1;
319 break;
320 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
321 cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
322 paramsNeeded = 1;
323 break;
324 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
325 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
326 paramsNeeded = 1;
327 break;
328 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
329 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
330 paramsNeeded = 1;
331 break;
332 case TLS_RSA_PSK_WITH_RC4_128_SHA:
333 cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
334 break;
335 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
336 cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
337 break;
338 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
339 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
340 break;
341 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
342 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
343 break;
344 case TLS_PSK_WITH_NULL_SHA:
345 cipherName = "TLS_PSK_WITH_NULL_SHA";
346 break;
347 case TLS_DHE_PSK_WITH_NULL_SHA:
348 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
349 paramsNeeded = 1;
350 break;
351 case TLS_RSA_PSK_WITH_NULL_SHA:
352 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
353 break;
354 case TLS_RSA_WITH_AES_128_GCM_SHA256:
355 cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
356 break;
357 case TLS_RSA_WITH_AES_256_GCM_SHA384:
358 cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
359 break;
360 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
361 cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
362 paramsNeeded = 1;
363 break;
364 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
365 cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
366 paramsNeeded = 1;
367 break;
368 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
369 cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
370 paramsNeeded = 1;
371 break;
372 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
373 cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
374 paramsNeeded = 1;
375 break;
376 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
377 cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
378 paramsNeeded = 1;
379 break;
380 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
381 cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
382 paramsNeeded = 1;
383 break;
384 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
385 cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
386 paramsNeeded = 1;
387 break;
388 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
389 cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
390 paramsNeeded = 1;
391 break;
392 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
393 cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
394 paramsNeeded = 1;
395 break;
396 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
397 cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
398 paramsNeeded = 1;
399 break;
400 case TLS_PSK_WITH_AES_128_GCM_SHA256:
401 cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
402 break;
403 case TLS_PSK_WITH_AES_256_GCM_SHA384:
404 cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
405 break;
406 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
407 cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
408 paramsNeeded = 1;
409 break;
410 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
411 cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
412 paramsNeeded = 1;
413 break;
414 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
415 cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
416 break;
417 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
418 cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
419 break;
420 case TLS_PSK_WITH_AES_128_CBC_SHA256:
421 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
422 break;
423 case TLS_PSK_WITH_AES_256_CBC_SHA384:
424 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
425 break;
426 case TLS_PSK_WITH_NULL_SHA256:
427 cipherName = "TLS_PSK_WITH_NULL_SHA256";
428 break;
429 case TLS_PSK_WITH_NULL_SHA384:
430 cipherName = "TLS_PSK_WITH_NULL_SHA384";
431 break;
432 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
433 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
434 paramsNeeded = 1;
435 break;
436 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
437 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
438 paramsNeeded = 1;
439 break;
440 case TLS_DHE_PSK_WITH_NULL_SHA256:
441 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
442 paramsNeeded = 1;
443 break;
444 case TLS_DHE_PSK_WITH_NULL_SHA384:
445 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
446 paramsNeeded = 1;
447 break;
448 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
449 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
450 break;
451 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
452 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
453 break;
454 case TLS_RSA_PSK_WITH_NULL_SHA256:
455 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
456 break;
457 case TLS_RSA_PSK_WITH_NULL_SHA384:
458 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
459 break;
460 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
461 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
462 paramsNeeded = 1;
463 break;
464 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
465 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
466 paramsNeeded = 1;
467 break;
468 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
469 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
470 paramsNeeded = 1;
471 break;
472 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
473 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
474 paramsNeeded = 1;
475 break;
476 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
477 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
478 paramsNeeded = 1;
479 break;
480 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
481 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
482 paramsNeeded = 1;
483 break;
484 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
485 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
486 paramsNeeded = 1;
487 break;
488 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
489 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
490 paramsNeeded = 1;
491 break;
492 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
493 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
494 paramsNeeded = 1;
495 break;
496 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
497 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
498 paramsNeeded = 1;
499 break;
500 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
501 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
502 paramsNeeded = 1;
503 break;
504 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
505 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
506 paramsNeeded = 1;
507 break;
508 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
509 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
510 paramsNeeded = 1;
511 break;
512 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
513 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
514 paramsNeeded = 1;
515 break;
516 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
517 cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
518 paramsNeeded = 1;
519 break;
520 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
521 cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
522 paramsNeeded = 1;
523 break;
88da3fd7
MS		 524 case TLS_RSA_WITH_AES_128_CBC_SHA:
525 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA";
526 break;
527 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
528 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
529 paramsNeeded = 1;
530 break;
531 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
532 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
533 paramsNeeded = 1;
534 break;
535 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
536 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
537 paramsNeeded = 1;
538 break;
539 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
540 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
541 paramsNeeded = 1;
542 break;
543 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
544 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA";
545 paramsNeeded = 1;
546 break;
547 case TLS_RSA_WITH_AES_256_CBC_SHA:
548 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA";
549 break;
550 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
551 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
552 paramsNeeded = 1;
553 break;
554 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
555 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
556 paramsNeeded = 1;
557 break;
558 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
559 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
560 paramsNeeded = 1;
561 break;
562 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
563 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
564 paramsNeeded = 1;
565 break;
566 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
567 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA";
568 paramsNeeded = 1;
569 break;
570 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
571 cipherName = "TLS_ECDH_ECDSA_WITH_NULL_SHA";
572 paramsNeeded = 1;
573 break;
574 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
575 cipherName = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
576 paramsNeeded = 1;
577 break;
578 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
579 cipherName = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
580 paramsNeeded = 1;
581 break;
582 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
583 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
584 paramsNeeded = 1;
585 break;
586 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
587 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
588 paramsNeeded = 1;
589 break;
590 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
591 cipherName = "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
592 paramsNeeded = 1;
593 break;
594 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
595 cipherName = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
596 paramsNeeded = 1;
597 break;
598 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
599 cipherName = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
600 paramsNeeded = 1;
601 break;
602 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
603 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
604 paramsNeeded = 1;
605 break;
606 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
607 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
608 paramsNeeded = 1;
609 break;
610 case TLS_ECDH_RSA_WITH_NULL_SHA:
611 cipherName = "TLS_ECDH_RSA_WITH_NULL_SHA";
612 paramsNeeded = 1;
613 break;
614 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
615 cipherName = "TLS_ECDH_RSA_WITH_RC4_128_SHA";
616 paramsNeeded = 1;
617 break;
618 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
619 cipherName = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
620 paramsNeeded = 1;
621 break;
622 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
623 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
624 paramsNeeded = 1;
625 break;
626 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
627 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
628 paramsNeeded = 1;
629 break;
630 case TLS_ECDHE_RSA_WITH_NULL_SHA:
631 cipherName = "TLS_ECDHE_RSA_WITH_NULL_SHA";
632 paramsNeeded = 1;
633 break;
634 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
635 cipherName = "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
636 paramsNeeded = 1;
637 break;
638 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
639 cipherName = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
640 paramsNeeded = 1;
641 break;
642 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
643 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
644 paramsNeeded = 1;
645 break;
646 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
647 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
648 paramsNeeded = 1;
649 break;
650 case TLS_ECDH_anon_WITH_NULL_SHA:
651 cipherName = "TLS_ECDH_anon_WITH_NULL_SHA";
652 paramsNeeded = 1;
653 break;
654 case TLS_ECDH_anon_WITH_RC4_128_SHA:
655 cipherName = "TLS_ECDH_anon_WITH_RC4_128_SHA";
656 paramsNeeded = 1;
657 break;
658 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
659 cipherName = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
660 paramsNeeded = 1;
661 break;
662 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
663 cipherName = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
664 paramsNeeded = 1;
665 break;
666 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
667 cipherName = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
668 paramsNeeded = 1;
669 break;
79a37326
MS		 670 default :
671 snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
672 cipherName = unknownCipherName;
673 break;
674 }
675
676 if (cipher == TLS_RSA_WITH_RC4_128_MD5 ||
677 cipher == TLS_RSA_WITH_RC4_128_SHA)
678 {
47ddc812 679 printf("%s: ERROR (Printers MUST NOT negotiate RC4 cipher suites.)\n", server);
79a37326
MS		 680 httpClose(http);
681 return (1);
682 }
683
684 if ((err = SSLGetDiffieHellmanParams(http->tls, &params, &paramsLen)) != noErr && paramsNeeded)
685 {
47ddc812 686 printf("%s: ERROR (Unable to get Diffie-Hellman parameters - %d)\n", server, (int)err);
79a37326
MS		 687 httpClose(http);
688 return (1);
689 }
690
691 if (paramsLen < 128 && paramsLen != 0)
692 {
47ddc812 693 printf("%s: ERROR (Diffie-Hellman parameters MUST be at least 2048 bits, but Printer uses only %d bits/%d bytes)\n", server, (int)paramsLen * 8, (int)paramsLen);
79a37326
MS		 694 httpClose(http);
695 return (1);
696 }
bdc4056c
MS		 697
698 dhBits = (int)paramsLen * 8;
79a37326
MS		 699#endif /* __APPLE__ */
700
bdc4056c 701 if (dhBits > 0)
47ddc812 702 printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits);
bdc4056c 703 else
47ddc812 704 printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
bdc4056c 705
073b3929
MS		 706 printf(" %s\n", creds_str);
707
bdc4056c
MS		 708 if (verbose)
709 {
710 httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
711 request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
712 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
713 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
714 ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(pattrs) / sizeof(pattrs[0])), NULL, pattrs);
715
716 response = cupsDoRequest(http, request, resource);
717
718 for (attr = ippFirstAttribute(response); attr; attr = ippNextAttribute(response))
719 {
720 if (ippGetGroupTag(attr) != IPP_TAG_PRINTER)
721 continue;
722
723 if ((name = ippGetName(attr)) == NULL)
724 continue;
725
726 ippAttributeString(attr, value, sizeof(value));
727 printf(" %s=%s\n", name, value);
728 }
729
730 ippDelete(response);
073b3929 731 puts("");
bdc4056c 732 }
79a37326
MS		 733
734 httpClose(http);
735
736 return (0);
737}
738
739
bdc4056c
MS		 740/*
741 * 'usage()' - Show program usage.
742 */
743
744static void
745usage(void)
746{
747 puts("Usage: ./tlscheck [options] server [port]");
748 puts(" ./tlscheck [options] ipps://server[:port]/path");
749 puts("");
750 puts("Options:");
751 puts(" --dh Allow DH/DHE key exchange");
4f272af7 752 puts(" --no-cbc Disable CBC cipher suites");
bdc4056c
MS		 753 puts(" --no-tls10 Disable TLS/1.0");
754 puts(" --rc4 Allow RC4 encryption");
4f272af7 755 puts(" --tls10 Only use TLS/1.0");
bdc4056c 756 puts(" --verbose Be verbose");
23abf279
MS		 757 puts(" -4 Connect using IPv4 addresses only");
758 puts(" -6 Connect using IPv6 addresses only");
bdc4056c
MS		 759 puts(" -v Be verbose");
760 puts("");
761 puts("The default port is 631.");
762
763 exit(1);
764}
58796d49 765#endif /* !HAVE_SSL */
Unnamed repository; edit this file 'description' to name the repository.