2 * TLS check program for CUPS.
4 * Copyright 2007-2017 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
11 * Include necessary headers...
14 #include "cups-private.h"
18 int main(void) { puts("Sorry, no TLS support compiled in."); return (1); }
25 static void usage(void);
29 * 'main()' - Main entry.
32 int /* O - Exit status */
33 main(int argc
, /* I - Number of command-line arguments */
34 char *argv
[]) /* I - Command-line arguments */
36 int i
; /* Looping var */
37 http_t
*http
; /* HTTP connection */
38 const char *server
= NULL
; /* Hostname from command-line */
39 int port
= 0; /* Port number */
40 cups_array_t
*creds
; /* Server credentials */
41 char creds_str
[2048]; /* Credentials string */
42 const char *cipherName
= "UNKNOWN";/* Cipher suite name */
43 int dhBits
= 0; /* Diffie-Hellman bits */
44 int tlsVersion
= 0; /* TLS version number */
45 char uri
[1024], /* Printer URI */
46 scheme
[32], /* URI scheme */
47 host
[256], /* Hostname */
48 userpass
[256], /* Username/password */
49 resource
[256]; /* Resource path */
50 int af
= AF_UNSPEC
, /* Address family */
51 tls_options
= _HTTP_TLS_NONE
,
53 tls_min_version
= _HTTP_TLS_1_0
,
54 tls_max_version
= _HTTP_TLS_MAX
,
55 verbose
= 0; /* Verbosity */
56 ipp_t
*request
, /* IPP Get-Printer-Attributes request */
57 *response
; /* IPP Get-Printer-Attributes response */
58 ipp_attribute_t
*attr
; /* Current attribute */
59 const char *name
; /* Attribute name */
60 char value
[1024]; /* Attribute (string) value */
61 static const char * const pattrs
[] = /* Requested attributes */
64 "compression-supported",
65 "document-format-supported",
68 "printer-make-and-model",
70 "printer-state-reasons",
72 "uri-authentication-supported",
73 "uri-security-supported"
77 for (i
= 1; i
< argc
; i
++)
79 if (!strcmp(argv
[i
], "--dh"))
81 tls_options
|= _HTTP_TLS_ALLOW_DH
;
83 else if (!strcmp(argv
[i
], "--no-cbc"))
85 tls_options
|= _HTTP_TLS_DENY_CBC
;
87 else if (!strcmp(argv
[i
], "--no-tls10"))
89 tls_min_version
= _HTTP_TLS_1_1
;
91 else if (!strcmp(argv
[i
], "--tls10"))
93 tls_min_version
= _HTTP_TLS_1_0
;
94 tls_max_version
= _HTTP_TLS_1_0
;
96 else if (!strcmp(argv
[i
], "--tls11"))
98 tls_min_version
= _HTTP_TLS_1_1
;
99 tls_max_version
= _HTTP_TLS_1_1
;
101 else if (!strcmp(argv
[i
], "--tls12"))
103 tls_min_version
= _HTTP_TLS_1_2
;
104 tls_max_version
= _HTTP_TLS_1_2
;
106 else if (!strcmp(argv
[i
], "--tls13"))
108 tls_min_version
= _HTTP_TLS_1_3
;
109 tls_max_version
= _HTTP_TLS_1_3
;
111 else if (!strcmp(argv
[i
], "--rc4"))
113 tls_options
|= _HTTP_TLS_ALLOW_RC4
;
115 else if (!strcmp(argv
[i
], "--verbose") || !strcmp(argv
[i
], "-v"))
119 else if (!strcmp(argv
[i
], "-4"))
123 else if (!strcmp(argv
[i
], "-6"))
127 else if (argv
[i
][0] == '-')
129 printf("tlscheck: Unknown option '%s'.\n", argv
[i
]);
134 if (!strncmp(argv
[i
], "ipps://", 7))
136 httpSeparateURI(HTTP_URI_CODING_ALL
, argv
[i
], scheme
, sizeof(scheme
), userpass
, sizeof(userpass
), host
, sizeof(host
), &port
, resource
, sizeof(resource
));
142 strlcpy(resource
, "/ipp/print", sizeof(resource
));
145 else if (!port
&& (argv
[i
][0] == '=' || isdigit(argv
[i
][0] & 255)))
147 if (argv
[i
][0] == '=')
148 port
= atoi(argv
[i
] + 1);
150 port
= atoi(argv
[i
]);
154 printf("tlscheck: Unexpected argument '%s'.\n", argv
[i
]);
165 _httpTLSSetOptions(tls_options
, tls_min_version
, tls_max_version
);
167 http
= httpConnect2(server
, port
, NULL
, af
, HTTP_ENCRYPTION_ALWAYS
, 1, 30000, NULL
);
170 printf("%s: ERROR (%s)\n", server
, cupsLastErrorString());
174 if (httpCopyCredentials(http
, &creds
))
176 strlcpy(creds_str
, "Unable to get server X.509 credentials.", sizeof(creds_str
));
180 httpCredentialsString(creds
, creds_str
, sizeof(creds_str
));
181 httpFreeCredentials(creds
);
185 SSLProtocol protocol
;
186 SSLCipherSuite cipher
;
187 char unknownCipherName
[256];
188 int paramsNeeded
= 0;
193 if ((err
= SSLGetNegotiatedProtocolVersion(http
->tls
, &protocol
)) != noErr
)
195 printf("%s: ERROR (No protocol version - %d)\n", server
, (int)err
);
211 case kTLSProtocol11
:
214 case kTLSProtocol12
:
219 if ((err
= SSLGetNegotiatedCipher(http
->tls
, &cipher
)) != noErr
)
221 printf("%s: ERROR (No cipher suite - %d)\n", server
, (int)err
);
228 case TLS_NULL_WITH_NULL_NULL
:
229 cipherName
= "TLS_NULL_WITH_NULL_NULL";
231 case TLS_RSA_WITH_NULL_MD5
:
232 cipherName
= "TLS_RSA_WITH_NULL_MD5";
234 case TLS_RSA_WITH_NULL_SHA
:
235 cipherName
= "TLS_RSA_WITH_NULL_SHA";
237 case TLS_RSA_WITH_RC4_128_MD5
:
238 cipherName
= "TLS_RSA_WITH_RC4_128_MD5";
240 case TLS_RSA_WITH_RC4_128_SHA
:
241 cipherName
= "TLS_RSA_WITH_RC4_128_SHA";
243 case TLS_RSA_WITH_3DES_EDE_CBC_SHA
:
244 cipherName
= "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
246 case TLS_RSA_WITH_NULL_SHA256
:
247 cipherName
= "TLS_RSA_WITH_NULL_SHA256";
249 case TLS_RSA_WITH_AES_128_CBC_SHA256
:
250 cipherName
= "TLS_RSA_WITH_AES_128_CBC_SHA256";
252 case TLS_RSA_WITH_AES_256_CBC_SHA256
:
253 cipherName
= "TLS_RSA_WITH_AES_256_CBC_SHA256";
255 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
:
256 cipherName
= "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
259 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
:
260 cipherName
= "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
263 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
:
264 cipherName
= "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
267 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
:
268 cipherName
= "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
271 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256
:
272 cipherName
= "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
275 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256
:
276 cipherName
= "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
279 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
:
280 cipherName
= "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
283 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
:
284 cipherName
= "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
287 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256
:
288 cipherName
= "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
291 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256
:
292 cipherName
= "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
295 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
:
296 cipherName
= "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
299 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
:
300 cipherName
= "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
303 case TLS_DH_anon_WITH_RC4_128_MD5
:
304 cipherName
= "TLS_DH_anon_WITH_RC4_128_MD5";
307 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
:
308 cipherName
= "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
311 case TLS_DH_anon_WITH_AES_128_CBC_SHA256
:
312 cipherName
= "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
315 case TLS_DH_anon_WITH_AES_256_CBC_SHA256
:
316 cipherName
= "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
319 case TLS_PSK_WITH_RC4_128_SHA
:
320 cipherName
= "TLS_PSK_WITH_RC4_128_SHA";
322 case TLS_PSK_WITH_3DES_EDE_CBC_SHA
:
323 cipherName
= "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
325 case TLS_PSK_WITH_AES_128_CBC_SHA
:
326 cipherName
= "TLS_PSK_WITH_AES_128_CBC_SHA";
328 case TLS_PSK_WITH_AES_256_CBC_SHA
:
329 cipherName
= "TLS_PSK_WITH_AES_256_CBC_SHA";
331 case TLS_DHE_PSK_WITH_RC4_128_SHA
:
332 cipherName
= "TLS_DHE_PSK_WITH_RC4_128_SHA";
335 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
:
336 cipherName
= "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
339 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA
:
340 cipherName
= "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
343 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA
:
344 cipherName
= "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
347 case TLS_RSA_PSK_WITH_RC4_128_SHA
:
348 cipherName
= "TLS_RSA_PSK_WITH_RC4_128_SHA";
350 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
:
351 cipherName
= "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
353 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA
:
354 cipherName
= "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
356 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA
:
357 cipherName
= "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
359 case TLS_PSK_WITH_NULL_SHA
:
360 cipherName
= "TLS_PSK_WITH_NULL_SHA";
362 case TLS_DHE_PSK_WITH_NULL_SHA
:
363 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA";
366 case TLS_RSA_PSK_WITH_NULL_SHA
:
367 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA";
369 case TLS_RSA_WITH_AES_128_GCM_SHA256
:
370 cipherName
= "TLS_RSA_WITH_AES_128_GCM_SHA256";
372 case TLS_RSA_WITH_AES_256_GCM_SHA384
:
373 cipherName
= "TLS_RSA_WITH_AES_256_GCM_SHA384";
375 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
:
376 cipherName
= "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
379 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
:
380 cipherName
= "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
383 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256
:
384 cipherName
= "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
387 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384
:
388 cipherName
= "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
391 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
:
392 cipherName
= "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
395 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
:
396 cipherName
= "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
399 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256
:
400 cipherName
= "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
403 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384
:
404 cipherName
= "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
407 case TLS_DH_anon_WITH_AES_128_GCM_SHA256
:
408 cipherName
= "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
411 case TLS_DH_anon_WITH_AES_256_GCM_SHA384
:
412 cipherName
= "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
415 case TLS_PSK_WITH_AES_128_GCM_SHA256
:
416 cipherName
= "TLS_PSK_WITH_AES_128_GCM_SHA256";
418 case TLS_PSK_WITH_AES_256_GCM_SHA384
:
419 cipherName
= "TLS_PSK_WITH_AES_256_GCM_SHA384";
421 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
:
422 cipherName
= "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
425 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
:
426 cipherName
= "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
429 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
:
430 cipherName
= "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
432 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
:
433 cipherName
= "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
435 case TLS_PSK_WITH_AES_128_CBC_SHA256
:
436 cipherName
= "TLS_PSK_WITH_AES_128_CBC_SHA256";
438 case TLS_PSK_WITH_AES_256_CBC_SHA384
:
439 cipherName
= "TLS_PSK_WITH_AES_256_CBC_SHA384";
441 case TLS_PSK_WITH_NULL_SHA256
:
442 cipherName
= "TLS_PSK_WITH_NULL_SHA256";
444 case TLS_PSK_WITH_NULL_SHA384
:
445 cipherName
= "TLS_PSK_WITH_NULL_SHA384";
447 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
:
448 cipherName
= "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
451 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
:
452 cipherName
= "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
455 case TLS_DHE_PSK_WITH_NULL_SHA256
:
456 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA256";
459 case TLS_DHE_PSK_WITH_NULL_SHA384
:
460 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA384";
463 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
:
464 cipherName
= "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
466 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
:
467 cipherName
= "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
469 case TLS_RSA_PSK_WITH_NULL_SHA256
:
470 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA256";
472 case TLS_RSA_PSK_WITH_NULL_SHA384
:
473 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA384";
475 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
:
476 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
479 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
:
480 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
483 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
:
484 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
487 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
:
488 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
491 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
:
492 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
495 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
:
496 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
499 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
:
500 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
503 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
:
504 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
507 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
:
508 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
511 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
:
512 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
515 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
:
516 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
519 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
:
520 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
523 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
:
524 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
527 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
:
528 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
531 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
:
532 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
535 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
:
536 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
539 case TLS_RSA_WITH_AES_128_CBC_SHA
:
540 cipherName
= "TLS_RSA_WITH_AES_128_CBC_SHA";
542 case TLS_DH_DSS_WITH_AES_128_CBC_SHA
:
543 cipherName
= "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
546 case TLS_DH_RSA_WITH_AES_128_CBC_SHA
:
547 cipherName
= "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
550 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA
:
551 cipherName
= "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
554 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:
555 cipherName
= "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
558 case TLS_DH_anon_WITH_AES_128_CBC_SHA
:
559 cipherName
= "TLS_DH_anon_WITH_AES_128_CBC_SHA";
562 case TLS_RSA_WITH_AES_256_CBC_SHA
:
563 cipherName
= "TLS_RSA_WITH_AES_256_CBC_SHA";
565 case TLS_DH_DSS_WITH_AES_256_CBC_SHA
:
566 cipherName
= "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
569 case TLS_DH_RSA_WITH_AES_256_CBC_SHA
:
570 cipherName
= "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
573 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA
:
574 cipherName
= "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
577 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA
:
578 cipherName
= "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
581 case TLS_DH_anon_WITH_AES_256_CBC_SHA
:
582 cipherName
= "TLS_DH_anon_WITH_AES_256_CBC_SHA";
585 case TLS_ECDH_ECDSA_WITH_NULL_SHA
:
586 cipherName
= "TLS_ECDH_ECDSA_WITH_NULL_SHA";
589 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA
:
590 cipherName
= "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
593 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
:
594 cipherName
= "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
597 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
:
598 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
601 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
:
602 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
605 case TLS_ECDHE_ECDSA_WITH_NULL_SHA
:
606 cipherName
= "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
609 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
:
610 cipherName
= "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
613 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
:
614 cipherName
= "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
617 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
:
618 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
621 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
:
622 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
625 case TLS_ECDH_RSA_WITH_NULL_SHA
:
626 cipherName
= "TLS_ECDH_RSA_WITH_NULL_SHA";
629 case TLS_ECDH_RSA_WITH_RC4_128_SHA
:
630 cipherName
= "TLS_ECDH_RSA_WITH_RC4_128_SHA";
633 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
:
634 cipherName
= "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
637 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
:
638 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
641 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
:
642 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
645 case TLS_ECDHE_RSA_WITH_NULL_SHA
:
646 cipherName
= "TLS_ECDHE_RSA_WITH_NULL_SHA";
649 case TLS_ECDHE_RSA_WITH_RC4_128_SHA
:
650 cipherName
= "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
653 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
:
654 cipherName
= "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
657 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
:
658 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
661 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
:
662 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
665 case TLS_ECDH_anon_WITH_NULL_SHA
:
666 cipherName
= "TLS_ECDH_anon_WITH_NULL_SHA";
669 case TLS_ECDH_anon_WITH_RC4_128_SHA
:
670 cipherName
= "TLS_ECDH_anon_WITH_RC4_128_SHA";
673 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
:
674 cipherName
= "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
677 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA
:
678 cipherName
= "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
681 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA
:
682 cipherName
= "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
686 snprintf(unknownCipherName
, sizeof(unknownCipherName
), "UNKNOWN_%04X", cipher
);
687 cipherName
= unknownCipherName
;
691 if (cipher
== TLS_RSA_WITH_RC4_128_MD5
||
692 cipher
== TLS_RSA_WITH_RC4_128_SHA
)
694 printf("%s: ERROR (Printers MUST NOT negotiate RC4 cipher suites.)\n", server
);
699 if ((err
= SSLGetDiffieHellmanParams(http
->tls
, ¶ms
, ¶msLen
)) != noErr
&& paramsNeeded
)
701 printf("%s: ERROR (Unable to get Diffie-Hellman parameters - %d)\n", server
, (int)err
);
706 if (paramsLen
< 128 && paramsLen
!= 0)
708 printf("%s: ERROR (Diffie-Hellman parameters MUST be at least 2048 bits, but Printer uses only %d bits/%d bytes)\n", server
, (int)paramsLen
* 8, (int)paramsLen
);
713 dhBits
= (int)paramsLen
* 8;
714 #endif /* __APPLE__ */
717 printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server
, tlsVersion
/ 10, tlsVersion
% 10, cipherName
, dhBits
);
719 printf("%s: OK (TLS: %d.%d, %s)\n", server
, tlsVersion
/ 10, tlsVersion
% 10, cipherName
);
721 printf(" %s\n", creds_str
);
725 httpAssembleURI(HTTP_URI_CODING_ALL
, uri
, sizeof(uri
), "ipps", NULL
, host
, port
, resource
);
726 request
= ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES
);
727 ippAddString(request
, IPP_TAG_OPERATION
, IPP_TAG_URI
, "printer-uri", NULL
, uri
);
728 ippAddString(request
, IPP_TAG_OPERATION
, IPP_TAG_NAME
, "requesting-user-name", NULL
, cupsUser());
729 ippAddStrings(request
, IPP_TAG_OPERATION
, IPP_TAG_KEYWORD
, "requested-attributes", (int)(sizeof(pattrs
) / sizeof(pattrs
[0])), NULL
, pattrs
);
731 response
= cupsDoRequest(http
, request
, resource
);
733 for (attr
= ippFirstAttribute(response
); attr
; attr
= ippNextAttribute(response
))
735 if (ippGetGroupTag(attr
) != IPP_TAG_PRINTER
)
738 if ((name
= ippGetName(attr
)) == NULL
)
741 ippAttributeString(attr
, value
, sizeof(value
));
742 printf(" %s=%s\n", name
, value
);
756 * 'usage()' - Show program usage.
762 puts("Usage: ./tlscheck [options] server [port]");
763 puts(" ./tlscheck [options] ipps://server[:port]/path");
766 puts(" --dh Allow DH/DHE key exchange");
767 puts(" --no-cbc Disable CBC cipher suites");
768 puts(" --no-tls10 Disable TLS/1.0");
769 puts(" --rc4 Allow RC4 encryption");
770 puts(" --tls10 Only use TLS/1.0");
771 puts(" --tls11 Only use TLS/1.1");
772 puts(" --tls12 Only use TLS/1.2");
773 puts(" --tls13 Only use TLS/1.3");
774 puts(" --verbose Be verbose");
775 puts(" -4 Connect using IPv4 addresses only");
776 puts(" -6 Connect using IPv6 addresses only");
777 puts(" -v Be verbose");
779 puts("The default port is 631.");
783 #endif /* !HAVE_SSL */