4 * TLS check program for CUPS.
6 * Copyright 2007-2015 by Apple Inc.
7 * Copyright 1997-2006 by Easy Software Products.
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
15 * This file is subject to the Apple OS-Developed Software exception.
19 * Include necessary headers...
22 #include "cups-private.h"
26 * 'main()' - Main entry.
29 int /* O - Exit status */
30 main(int argc
, /* I - Number of command-line arguments */
31 char *argv
[]) /* I - Command-line arguments */
33 http_t
*http
; /* HTTP connection */
34 const char *server
= argv
[1]; /* Hostname from command-line */
35 int port
= 631; /* Port number */
36 const char *cipherName
= "UNKNOWN";/* Cipher suite name */
37 int tlsVersion
= 0; /* TLS version number */
40 if (argc
< 2 || argc
> 3)
42 puts("Usage: ./tlscheck server [port]");
44 puts("The default port is 631.");
50 if (argv
[2][0] == '=')
51 port
= atoi(argv
[2] + 1);
56 http
= httpConnect2(server
, port
, NULL
, AF_UNSPEC
, HTTP_ENCRYPTION_ALWAYS
, 1, 30000, NULL
);
59 printf("%s: ERROR (%s)\n", server
, cupsLastErrorString());
65 SSLCipherSuite cipher
;
66 char unknownCipherName
[256];
72 if ((err
= SSLGetNegotiatedProtocolVersion(http
->tls
, &protocol
)) != noErr
)
74 printf("%s: ERROR (No protocol version - %d)\n", server
, (int)err
);
98 if ((err
= SSLGetNegotiatedCipher(http
->tls
, &cipher
)) != noErr
)
100 printf("%s: ERROR (No cipher suite - %d)\n", server
, (int)err
);
107 case TLS_NULL_WITH_NULL_NULL
:
108 cipherName
= "TLS_NULL_WITH_NULL_NULL";
110 case TLS_RSA_WITH_NULL_MD5
:
111 cipherName
= "TLS_RSA_WITH_NULL_MD5";
113 case TLS_RSA_WITH_NULL_SHA
:
114 cipherName
= "TLS_RSA_WITH_NULL_SHA";
116 case TLS_RSA_WITH_RC4_128_MD5
:
117 cipherName
= "TLS_RSA_WITH_RC4_128_MD5";
119 case TLS_RSA_WITH_RC4_128_SHA
:
120 cipherName
= "TLS_RSA_WITH_RC4_128_SHA";
122 case TLS_RSA_WITH_3DES_EDE_CBC_SHA
:
123 cipherName
= "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
125 case TLS_RSA_WITH_NULL_SHA256
:
126 cipherName
= "TLS_RSA_WITH_NULL_SHA256";
128 case TLS_RSA_WITH_AES_128_CBC_SHA256
:
129 cipherName
= "TLS_RSA_WITH_AES_128_CBC_SHA256";
131 case TLS_RSA_WITH_AES_256_CBC_SHA256
:
132 cipherName
= "TLS_RSA_WITH_AES_256_CBC_SHA256";
134 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
:
135 cipherName
= "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
138 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
:
139 cipherName
= "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
142 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
:
143 cipherName
= "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
146 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
:
147 cipherName
= "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
150 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256
:
151 cipherName
= "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
154 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256
:
155 cipherName
= "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
158 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
:
159 cipherName
= "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
162 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
:
163 cipherName
= "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
166 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256
:
167 cipherName
= "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
170 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256
:
171 cipherName
= "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
174 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
:
175 cipherName
= "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
178 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
:
179 cipherName
= "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
182 case TLS_DH_anon_WITH_RC4_128_MD5
:
183 cipherName
= "TLS_DH_anon_WITH_RC4_128_MD5";
186 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
:
187 cipherName
= "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
190 case TLS_DH_anon_WITH_AES_128_CBC_SHA256
:
191 cipherName
= "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
194 case TLS_DH_anon_WITH_AES_256_CBC_SHA256
:
195 cipherName
= "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
198 case TLS_PSK_WITH_RC4_128_SHA
:
199 cipherName
= "TLS_PSK_WITH_RC4_128_SHA";
201 case TLS_PSK_WITH_3DES_EDE_CBC_SHA
:
202 cipherName
= "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
204 case TLS_PSK_WITH_AES_128_CBC_SHA
:
205 cipherName
= "TLS_PSK_WITH_AES_128_CBC_SHA";
207 case TLS_PSK_WITH_AES_256_CBC_SHA
:
208 cipherName
= "TLS_PSK_WITH_AES_256_CBC_SHA";
210 case TLS_DHE_PSK_WITH_RC4_128_SHA
:
211 cipherName
= "TLS_DHE_PSK_WITH_RC4_128_SHA";
214 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
:
215 cipherName
= "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
218 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA
:
219 cipherName
= "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
222 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA
:
223 cipherName
= "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
226 case TLS_RSA_PSK_WITH_RC4_128_SHA
:
227 cipherName
= "TLS_RSA_PSK_WITH_RC4_128_SHA";
229 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
:
230 cipherName
= "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
232 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA
:
233 cipherName
= "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
235 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA
:
236 cipherName
= "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
238 case TLS_PSK_WITH_NULL_SHA
:
239 cipherName
= "TLS_PSK_WITH_NULL_SHA";
241 case TLS_DHE_PSK_WITH_NULL_SHA
:
242 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA";
245 case TLS_RSA_PSK_WITH_NULL_SHA
:
246 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA";
248 case TLS_RSA_WITH_AES_128_GCM_SHA256
:
249 cipherName
= "TLS_RSA_WITH_AES_128_GCM_SHA256";
251 case TLS_RSA_WITH_AES_256_GCM_SHA384
:
252 cipherName
= "TLS_RSA_WITH_AES_256_GCM_SHA384";
254 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
:
255 cipherName
= "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
258 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
:
259 cipherName
= "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
262 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256
:
263 cipherName
= "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
266 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384
:
267 cipherName
= "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
270 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
:
271 cipherName
= "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
274 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
:
275 cipherName
= "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
278 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256
:
279 cipherName
= "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
282 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384
:
283 cipherName
= "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
286 case TLS_DH_anon_WITH_AES_128_GCM_SHA256
:
287 cipherName
= "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
290 case TLS_DH_anon_WITH_AES_256_GCM_SHA384
:
291 cipherName
= "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
294 case TLS_PSK_WITH_AES_128_GCM_SHA256
:
295 cipherName
= "TLS_PSK_WITH_AES_128_GCM_SHA256";
297 case TLS_PSK_WITH_AES_256_GCM_SHA384
:
298 cipherName
= "TLS_PSK_WITH_AES_256_GCM_SHA384";
300 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
:
301 cipherName
= "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
304 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
:
305 cipherName
= "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
308 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
:
309 cipherName
= "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
311 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
:
312 cipherName
= "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
314 case TLS_PSK_WITH_AES_128_CBC_SHA256
:
315 cipherName
= "TLS_PSK_WITH_AES_128_CBC_SHA256";
317 case TLS_PSK_WITH_AES_256_CBC_SHA384
:
318 cipherName
= "TLS_PSK_WITH_AES_256_CBC_SHA384";
320 case TLS_PSK_WITH_NULL_SHA256
:
321 cipherName
= "TLS_PSK_WITH_NULL_SHA256";
323 case TLS_PSK_WITH_NULL_SHA384
:
324 cipherName
= "TLS_PSK_WITH_NULL_SHA384";
326 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
:
327 cipherName
= "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
330 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
:
331 cipherName
= "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
334 case TLS_DHE_PSK_WITH_NULL_SHA256
:
335 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA256";
338 case TLS_DHE_PSK_WITH_NULL_SHA384
:
339 cipherName
= "TLS_DHE_PSK_WITH_NULL_SHA384";
342 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
:
343 cipherName
= "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
345 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
:
346 cipherName
= "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
348 case TLS_RSA_PSK_WITH_NULL_SHA256
:
349 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA256";
351 case TLS_RSA_PSK_WITH_NULL_SHA384
:
352 cipherName
= "TLS_RSA_PSK_WITH_NULL_SHA384";
354 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
:
355 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
358 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
:
359 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
362 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
:
363 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
366 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
:
367 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
370 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
:
371 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
374 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
:
375 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
378 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
:
379 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
382 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
:
383 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
386 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
:
387 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
390 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
:
391 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
394 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
:
395 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
398 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
:
399 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
402 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
:
403 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
406 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
:
407 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
410 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
:
411 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
414 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
:
415 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
418 case TLS_RSA_WITH_AES_128_CBC_SHA
:
419 cipherName
= "TLS_RSA_WITH_AES_128_CBC_SHA";
421 case TLS_DH_DSS_WITH_AES_128_CBC_SHA
:
422 cipherName
= "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
425 case TLS_DH_RSA_WITH_AES_128_CBC_SHA
:
426 cipherName
= "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
429 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA
:
430 cipherName
= "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
433 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:
434 cipherName
= "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
437 case TLS_DH_anon_WITH_AES_128_CBC_SHA
:
438 cipherName
= "TLS_DH_anon_WITH_AES_128_CBC_SHA";
441 case TLS_RSA_WITH_AES_256_CBC_SHA
:
442 cipherName
= "TLS_RSA_WITH_AES_256_CBC_SHA";
444 case TLS_DH_DSS_WITH_AES_256_CBC_SHA
:
445 cipherName
= "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
448 case TLS_DH_RSA_WITH_AES_256_CBC_SHA
:
449 cipherName
= "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
452 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA
:
453 cipherName
= "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
456 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA
:
457 cipherName
= "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
460 case TLS_DH_anon_WITH_AES_256_CBC_SHA
:
461 cipherName
= "TLS_DH_anon_WITH_AES_256_CBC_SHA";
464 case TLS_ECDH_ECDSA_WITH_NULL_SHA
:
465 cipherName
= "TLS_ECDH_ECDSA_WITH_NULL_SHA";
468 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA
:
469 cipherName
= "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
472 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
:
473 cipherName
= "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
476 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
:
477 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
480 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
:
481 cipherName
= "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
484 case TLS_ECDHE_ECDSA_WITH_NULL_SHA
:
485 cipherName
= "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
488 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
:
489 cipherName
= "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
492 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
:
493 cipherName
= "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
496 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
:
497 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
500 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
:
501 cipherName
= "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
504 case TLS_ECDH_RSA_WITH_NULL_SHA
:
505 cipherName
= "TLS_ECDH_RSA_WITH_NULL_SHA";
508 case TLS_ECDH_RSA_WITH_RC4_128_SHA
:
509 cipherName
= "TLS_ECDH_RSA_WITH_RC4_128_SHA";
512 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
:
513 cipherName
= "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
516 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
:
517 cipherName
= "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
520 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
:
521 cipherName
= "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
524 case TLS_ECDHE_RSA_WITH_NULL_SHA
:
525 cipherName
= "TLS_ECDHE_RSA_WITH_NULL_SHA";
528 case TLS_ECDHE_RSA_WITH_RC4_128_SHA
:
529 cipherName
= "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
532 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
:
533 cipherName
= "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
536 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
:
537 cipherName
= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
540 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
:
541 cipherName
= "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
544 case TLS_ECDH_anon_WITH_NULL_SHA
:
545 cipherName
= "TLS_ECDH_anon_WITH_NULL_SHA";
548 case TLS_ECDH_anon_WITH_RC4_128_SHA
:
549 cipherName
= "TLS_ECDH_anon_WITH_RC4_128_SHA";
552 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
:
553 cipherName
= "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
556 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA
:
557 cipherName
= "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
560 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA
:
561 cipherName
= "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
565 snprintf(unknownCipherName
, sizeof(unknownCipherName
), "UNKNOWN_%04X", cipher
);
566 cipherName
= unknownCipherName
;
570 if (cipher
== TLS_RSA_WITH_RC4_128_MD5
||
571 cipher
== TLS_RSA_WITH_RC4_128_SHA
)
573 printf("%s: ERROR (Insecure RC4 negotiated)\n", server
);
578 if ((err
= SSLGetDiffieHellmanParams(http
->tls
, ¶ms
, ¶msLen
)) != noErr
&& paramsNeeded
)
580 printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server
, (int)err
);
585 if (paramsLen
< 128 && paramsLen
!= 0)
587 printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server
, (int)paramsLen
, (int)paramsLen
* 8);
591 #endif /* __APPLE__ */
593 printf("%s: OK (%d.%d, %s)\n", server
, tlsVersion
/ 10, tlsVersion
% 10, cipherName
);