]> git.ipfire.org Git - thirdparty/cups.git/blob - cups/tlscheck.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update list of blacklisted DH/DHE cipher suites.
[thirdparty/cups.git] / cups / tlscheck.c
1 /*
2 * "$Id$"
3 *
4 * TLS check program for CUPS.
5 *
6 * Copyright 2007-2015 by Apple Inc.
7 * Copyright 1997-2006 by Easy Software Products.
8 *
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
14 *
15 * This file is subject to the Apple OS-Developed Software exception.
16 */
17
18 /*
19 * Include necessary headers...
20 */
21
22 #include "cups-private.h"
23
24
25 /*
26 * Local functions...
27 */
28
29 static void usage(void);
30
31
32 /*
33 * 'main()' - Main entry.
34 */
35
36 int /* O - Exit status */
37 main(int argc, /* I - Number of command-line arguments */
38 char *argv[]) /* I - Command-line arguments */
39 {
40 int i; /* Looping var */
41 http_t *http; /* HTTP connection */
42 const char *server = NULL; /* Hostname from command-line */
43 int port = 0; /* Port number */
44 const char *cipherName = "UNKNOWN";/* Cipher suite name */
45 int dhBits = 0; /* Diffie-Hellman bits */
46 int tlsVersion = 0; /* TLS version number */
47 char uri[1024], /* Printer URI */
48 scheme[32], /* URI scheme */
49 host[256], /* Hostname */
50 userpass[256], /* Username/password */
51 resource[256]; /* Resource path */
52 int tls_options = _HTTP_TLS_NONE,
53 /* TLS options */
54 verbose = 0; /* Verbosity */
55 ipp_t *request, /* IPP Get-Printer-Attributes request */
56 *response; /* IPP Get-Printer-Attributes response */
57 ipp_attribute_t *attr; /* Current attribute */
58 const char *name; /* Attribute name */
59 char value[1024]; /* Attribute (string) value */
60 static const char * const pattrs[] = /* Requested attributes */
61 {
62 "color-supported",
63 "compression-supported",
64 "document-format-supported",
65 "pages-per-minute",
66 "printer-location",
67 "printer-make-and-model",
68 "printer-state",
69 "printer-state-reasons",
70 "sides-supported",
71 "uri-authentication-supported",
72 "uri-security-supported"
73 };
74
75
76 for (i = 1; i < argc; i ++)
77 {
78 if (!strcmp(argv[i], "--dh"))
79 {
80 tls_options |= _HTTP_TLS_ALLOW_DH;
81 }
82 else if (!strcmp(argv[i], "--no-tls10"))
83 {
84 tls_options |= _HTTP_TLS_DENY_TLS10;
85 }
86 else if (!strcmp(argv[i], "--rc4"))
87 {
88 tls_options |= _HTTP_TLS_ALLOW_RC4;
89 }
90 else if (!strcmp(argv[i], "--verbose") || !strcmp(argv[i], "-v"))
91 {
92 verbose = 1;
93 }
94 else if (argv[i][0] == '-')
95 {
96 printf("tlscheck: Unknown option '%s'.\n", argv[i]);
97 usage();
98 }
99 else if (!server)
100 {
101 if (!strncmp(argv[i], "ipps://", 7))
102 {
103 httpSeparateURI(HTTP_URI_CODING_ALL, argv[i], scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
104 server = host;
105 }
106 else
107 {
108 server = argv[i];
109 strlcpy(resource, "/ipp/print", sizeof(resource));
110 }
111 }
112 else if (!port && (argv[i][0] == '=' || isdigit(argv[i][0] & 255)))
113 {
114 if (argv[i][0] == '=')
115 port = atoi(argv[i] + 1);
116 else
117 port = atoi(argv[i]);
118 }
119 else
120 {
121 printf("tlscheck: Unexpected argument '%s'.\n", argv[i]);
122 usage();
123 }
124 }
125
126 if (!server)
127 usage();
128
129 if (!port)
130 port = 631;
131
132 _httpTLSSetOptions(tls_options);
133
134 http = httpConnect2(server, port, NULL, AF_UNSPEC, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
135 if (!http)
136 {
137 printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
138 return (1);
139 }
140
141 #ifdef __APPLE__
142 SSLProtocol protocol;
143 SSLCipherSuite cipher;
144 char unknownCipherName[256];
145 int paramsNeeded = 0;
146 const void *params;
147 size_t paramsLen;
148 OSStatus err;
149
150 if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
151 {
152 printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
153 httpClose(http);
154 return (1);
155 }
156
157 switch (protocol)
158 {
159 default :
160 tlsVersion = 0;
161 break;
162 case kSSLProtocol3 :
163 tlsVersion = 30;
164 break;
165 case kTLSProtocol1 :
166 tlsVersion = 10;
167 break;
168 case kTLSProtocol11 :
169 tlsVersion = 11;
170 break;
171 case kTLSProtocol12 :
172 tlsVersion = 12;
173 break;
174 }
175
176 if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
177 {
178 printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
179 httpClose(http);
180 return (1);
181 }
182
183 switch (cipher)
184 {
185 case TLS_NULL_WITH_NULL_NULL:
186 cipherName = "TLS_NULL_WITH_NULL_NULL";
187 break;
188 case TLS_RSA_WITH_NULL_MD5:
189 cipherName = "TLS_RSA_WITH_NULL_MD5";
190 break;
191 case TLS_RSA_WITH_NULL_SHA:
192 cipherName = "TLS_RSA_WITH_NULL_SHA";
193 break;
194 case TLS_RSA_WITH_RC4_128_MD5:
195 cipherName = "TLS_RSA_WITH_RC4_128_MD5";
196 break;
197 case TLS_RSA_WITH_RC4_128_SHA:
198 cipherName = "TLS_RSA_WITH_RC4_128_SHA";
199 break;
200 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
201 cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
202 break;
203 case TLS_RSA_WITH_NULL_SHA256:
204 cipherName = "TLS_RSA_WITH_NULL_SHA256";
205 break;
206 case TLS_RSA_WITH_AES_128_CBC_SHA256:
207 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
208 break;
209 case TLS_RSA_WITH_AES_256_CBC_SHA256:
210 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
211 break;
212 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
213 cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
214 paramsNeeded = 1;
215 break;
216 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
217 cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
218 paramsNeeded = 1;
219 break;
220 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
221 cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
222 paramsNeeded = 1;
223 break;
224 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
225 cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
226 paramsNeeded = 1;
227 break;
228 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
229 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
230 paramsNeeded = 1;
231 break;
232 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
233 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
234 paramsNeeded = 1;
235 break;
236 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
237 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
238 paramsNeeded = 1;
239 break;
240 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
241 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
242 paramsNeeded = 1;
243 break;
244 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
245 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
246 paramsNeeded = 1;
247 break;
248 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
249 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
250 paramsNeeded = 1;
251 break;
252 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
253 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
254 paramsNeeded = 1;
255 break;
256 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
257 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
258 paramsNeeded = 1;
259 break;
260 case TLS_DH_anon_WITH_RC4_128_MD5:
261 cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
262 paramsNeeded = 1;
263 break;
264 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
265 cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
266 paramsNeeded = 1;
267 break;
268 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
269 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
270 paramsNeeded = 1;
271 break;
272 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
273 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
274 paramsNeeded = 1;
275 break;
276 case TLS_PSK_WITH_RC4_128_SHA:
277 cipherName = "TLS_PSK_WITH_RC4_128_SHA";
278 break;
279 case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
280 cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
281 break;
282 case TLS_PSK_WITH_AES_128_CBC_SHA:
283 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
284 break;
285 case TLS_PSK_WITH_AES_256_CBC_SHA:
286 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
287 break;
288 case TLS_DHE_PSK_WITH_RC4_128_SHA:
289 cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
290 paramsNeeded = 1;
291 break;
292 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
293 cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
294 paramsNeeded = 1;
295 break;
296 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
297 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
298 paramsNeeded = 1;
299 break;
300 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
301 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
302 paramsNeeded = 1;
303 break;
304 case TLS_RSA_PSK_WITH_RC4_128_SHA:
305 cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
306 break;
307 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
308 cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
309 break;
310 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
311 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
312 break;
313 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
314 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
315 break;
316 case TLS_PSK_WITH_NULL_SHA:
317 cipherName = "TLS_PSK_WITH_NULL_SHA";
318 break;
319 case TLS_DHE_PSK_WITH_NULL_SHA:
320 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
321 paramsNeeded = 1;
322 break;
323 case TLS_RSA_PSK_WITH_NULL_SHA:
324 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
325 break;
326 case TLS_RSA_WITH_AES_128_GCM_SHA256:
327 cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
328 break;
329 case TLS_RSA_WITH_AES_256_GCM_SHA384:
330 cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
331 break;
332 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
333 cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
334 paramsNeeded = 1;
335 break;
336 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
337 cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
338 paramsNeeded = 1;
339 break;
340 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
341 cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
342 paramsNeeded = 1;
343 break;
344 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
345 cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
346 paramsNeeded = 1;
347 break;
348 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
349 cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
350 paramsNeeded = 1;
351 break;
352 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
353 cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
354 paramsNeeded = 1;
355 break;
356 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
357 cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
358 paramsNeeded = 1;
359 break;
360 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
361 cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
362 paramsNeeded = 1;
363 break;
364 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
365 cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
366 paramsNeeded = 1;
367 break;
368 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
369 cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
370 paramsNeeded = 1;
371 break;
372 case TLS_PSK_WITH_AES_128_GCM_SHA256:
373 cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
374 break;
375 case TLS_PSK_WITH_AES_256_GCM_SHA384:
376 cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
377 break;
378 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
379 cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
380 paramsNeeded = 1;
381 break;
382 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
383 cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
384 paramsNeeded = 1;
385 break;
386 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
387 cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
388 break;
389 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
390 cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
391 break;
392 case TLS_PSK_WITH_AES_128_CBC_SHA256:
393 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
394 break;
395 case TLS_PSK_WITH_AES_256_CBC_SHA384:
396 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
397 break;
398 case TLS_PSK_WITH_NULL_SHA256:
399 cipherName = "TLS_PSK_WITH_NULL_SHA256";
400 break;
401 case TLS_PSK_WITH_NULL_SHA384:
402 cipherName = "TLS_PSK_WITH_NULL_SHA384";
403 break;
404 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
405 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
406 paramsNeeded = 1;
407 break;
408 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
409 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
410 paramsNeeded = 1;
411 break;
412 case TLS_DHE_PSK_WITH_NULL_SHA256:
413 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
414 paramsNeeded = 1;
415 break;
416 case TLS_DHE_PSK_WITH_NULL_SHA384:
417 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
418 paramsNeeded = 1;
419 break;
420 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
421 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
422 break;
423 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
424 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
425 break;
426 case TLS_RSA_PSK_WITH_NULL_SHA256:
427 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
428 break;
429 case TLS_RSA_PSK_WITH_NULL_SHA384:
430 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
431 break;
432 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
433 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
434 paramsNeeded = 1;
435 break;
436 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
437 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
438 paramsNeeded = 1;
439 break;
440 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
441 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
442 paramsNeeded = 1;
443 break;
444 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
445 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
446 paramsNeeded = 1;
447 break;
448 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
449 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
450 paramsNeeded = 1;
451 break;
452 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
453 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
454 paramsNeeded = 1;
455 break;
456 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
457 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
458 paramsNeeded = 1;
459 break;
460 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
461 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
462 paramsNeeded = 1;
463 break;
464 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
465 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
466 paramsNeeded = 1;
467 break;
468 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
469 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
470 paramsNeeded = 1;
471 break;
472 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
473 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
474 paramsNeeded = 1;
475 break;
476 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
477 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
478 paramsNeeded = 1;
479 break;
480 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
481 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
482 paramsNeeded = 1;
483 break;
484 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
485 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
486 paramsNeeded = 1;
487 break;
488 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
489 cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
490 paramsNeeded = 1;
491 break;
492 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
493 cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
494 paramsNeeded = 1;
495 break;
496 case TLS_RSA_WITH_AES_128_CBC_SHA:
497 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA";
498 break;
499 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
500 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
501 paramsNeeded = 1;
502 break;
503 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
504 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
505 paramsNeeded = 1;
506 break;
507 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
508 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
509 paramsNeeded = 1;
510 break;
511 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
512 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
513 paramsNeeded = 1;
514 break;
515 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
516 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA";
517 paramsNeeded = 1;
518 break;
519 case TLS_RSA_WITH_AES_256_CBC_SHA:
520 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA";
521 break;
522 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
523 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
524 paramsNeeded = 1;
525 break;
526 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
527 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
528 paramsNeeded = 1;
529 break;
530 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
531 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
532 paramsNeeded = 1;
533 break;
534 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
535 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
536 paramsNeeded = 1;
537 break;
538 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
539 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA";
540 paramsNeeded = 1;
541 break;
542 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
543 cipherName = "TLS_ECDH_ECDSA_WITH_NULL_SHA";
544 paramsNeeded = 1;
545 break;
546 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
547 cipherName = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
548 paramsNeeded = 1;
549 break;
550 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
551 cipherName = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
552 paramsNeeded = 1;
553 break;
554 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
555 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
556 paramsNeeded = 1;
557 break;
558 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
559 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
560 paramsNeeded = 1;
561 break;
562 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
563 cipherName = "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
564 paramsNeeded = 1;
565 break;
566 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
567 cipherName = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
568 paramsNeeded = 1;
569 break;
570 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
571 cipherName = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
572 paramsNeeded = 1;
573 break;
574 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
575 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
576 paramsNeeded = 1;
577 break;
578 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
579 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
580 paramsNeeded = 1;
581 break;
582 case TLS_ECDH_RSA_WITH_NULL_SHA:
583 cipherName = "TLS_ECDH_RSA_WITH_NULL_SHA";
584 paramsNeeded = 1;
585 break;
586 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
587 cipherName = "TLS_ECDH_RSA_WITH_RC4_128_SHA";
588 paramsNeeded = 1;
589 break;
590 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
591 cipherName = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
592 paramsNeeded = 1;
593 break;
594 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
595 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
596 paramsNeeded = 1;
597 break;
598 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
599 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
600 paramsNeeded = 1;
601 break;
602 case TLS_ECDHE_RSA_WITH_NULL_SHA:
603 cipherName = "TLS_ECDHE_RSA_WITH_NULL_SHA";
604 paramsNeeded = 1;
605 break;
606 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
607 cipherName = "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
608 paramsNeeded = 1;
609 break;
610 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
611 cipherName = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
612 paramsNeeded = 1;
613 break;
614 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
615 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
616 paramsNeeded = 1;
617 break;
618 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
619 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
620 paramsNeeded = 1;
621 break;
622 case TLS_ECDH_anon_WITH_NULL_SHA:
623 cipherName = "TLS_ECDH_anon_WITH_NULL_SHA";
624 paramsNeeded = 1;
625 break;
626 case TLS_ECDH_anon_WITH_RC4_128_SHA:
627 cipherName = "TLS_ECDH_anon_WITH_RC4_128_SHA";
628 paramsNeeded = 1;
629 break;
630 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
631 cipherName = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
632 paramsNeeded = 1;
633 break;
634 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
635 cipherName = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
636 paramsNeeded = 1;
637 break;
638 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
639 cipherName = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
640 paramsNeeded = 1;
641 break;
642 default :
643 snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
644 cipherName = unknownCipherName;
645 break;
646 }
647
648 if (cipher == TLS_RSA_WITH_RC4_128_MD5 ||
649 cipher == TLS_RSA_WITH_RC4_128_SHA)
650 {
651 printf("%s: ERROR (Insecure RC4 negotiated)\n", server);
652 httpClose(http);
653 return (1);
654 }
655
656 if ((err = SSLGetDiffieHellmanParams(http->tls, &params, &paramsLen)) != noErr && paramsNeeded)
657 {
658 printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server, (int)err);
659 httpClose(http);
660 return (1);
661 }
662
663 if (paramsLen < 128 && paramsLen != 0)
664 {
665 printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server, (int)paramsLen, (int)paramsLen * 8);
666 httpClose(http);
667 return (1);
668 }
669
670 dhBits = (int)paramsLen * 8;
671 #endif /* __APPLE__ */
672
673 if (dhBits > 0)
674 printf("%s: OK (%d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits);
675 else
676 printf("%s: OK (%d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
677
678 if (verbose)
679 {
680 httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
681 request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
682 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
683 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
684 ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(pattrs) / sizeof(pattrs[0])), NULL, pattrs);
685
686 response = cupsDoRequest(http, request, resource);
687
688 for (attr = ippFirstAttribute(response); attr; attr = ippNextAttribute(response))
689 {
690 if (ippGetGroupTag(attr) != IPP_TAG_PRINTER)
691 continue;
692
693 if ((name = ippGetName(attr)) == NULL)
694 continue;
695
696 ippAttributeString(attr, value, sizeof(value));
697 printf(" %s=%s\n", name, value);
698 }
699
700 ippDelete(response);
701 }
702
703 httpClose(http);
704
705 return (0);
706 }
707
708
709 /*
710 * 'usage()' - Show program usage.
711 */
712
713 static void
714 usage(void)
715 {
716 puts("Usage: ./tlscheck [options] server [port]");
717 puts(" ./tlscheck [options] ipps://server[:port]/path");
718 puts("");
719 puts("Options:");
720 puts(" --dh Allow DH/DHE key exchange");
721 puts(" --no-tls10 Disable TLS/1.0");
722 puts(" --rc4 Allow RC4 encryption");
723 puts(" --verbose Be verbose");
724 puts(" -v Be verbose");
725 puts("");
726 puts("The default port is 631.");
727
728 exit(1);
729 }
730
731
732 /*
733 * End of "$Id$".
734 */
Unnamed repository; edit this file 'description' to name the repository.