.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cupsd.conf 5 "CUPS" "28 August 2017" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "3 November 2017" "Apple Inc."
.SH NAME
cupsd.conf \- server configuration file for cups
.SH DESCRIPTION
.br
Specifies whether to purge job history data automatically when it is no longer required for quotas.
The default is "No".
+.\"#BrowseDNSSDSubTypes
+.TP 5
+.BI BrowseDNSSDSubTypes _subtype[,...]
+Specifies a list of Bonjour sub-types to advertise for each shared printer.
+For example, "BrowseDNSSDSubTypes _cups,_print" will tell network clients that both CUPS sharing and IPP Everywhere are supported.
+The default is "_cups" which is necessary for printer sharing to work between systems using CUPS.
.\"#BrowseLocalProtocols
.TP 5
\fBBrowseLocalProtocols all\fR
Specifies the delay for updating of configuration and state files.
A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.
The default value is "30".
+.\"#DNSSDHostName
+.TP 5
+.BI DNSSDHostName hostname.example.com
+Specifies the fully-qualified domain name for the server that is used for Bonjour sharing.
+The default is typically the server's ".local" hostname.
.\"#ErrorPolicy
.TP 5
\fBErrorPolicy abort-job\fR
Listens on the specified address and port for encrypted connections.
.\"#SSLOptions
.TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
+.TP 5
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
.TP 5
\fBSSLOptions None\fR
-Sets encryption options.
+Sets encryption options (only in /etc/cups/client.conf).
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
-The \fIAllowDH\fR option enables cipher suites using the horribly insecure anonymous Diffie-Hellman key negotiation which is vulnerable to man-in-the-middle attacks.
-The \fIAllowRC4\fR option enables the insecure 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
-The \fIAllowSSL3\fR option enables the insecure SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0.
+Security is reduced when \fIAllow\fR options are used.
+Security is enhanced when \fIDeny\fR options are used.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients.
+The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fMinTLS\fR options set the minimum TLS version to support.
+The \fMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
.\"#SSLPort
.TP 5
\fBSSLPort \fIport\fR