Fix AllowRC4 and AllowSSL3 on GnuTLS platforms

author Pascal Ernster <git@hardfalcon.net>

Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)

committer Pascal Ernster <git@hardfalcon.net>

Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)
author Pascal Ernster <git@hardfalcon.net>
Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)
committer Pascal Ernster <git@hardfalcon.net>
Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c

index 4c92b68506f8298b58b6a3d3e91bd70bda847fab..f93274815ea22a155a7445e7e3e2d614e9d51d18 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1509,14 +1509,16 @@ _httpTLSStart(http_t *http)             /* I - Connection to server */
    if (tls_options & _HTTP_TLS_DENY_TLS10)
      strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
    else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
-    strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+    strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
    else if (tls_options & _HTTP_TLS_ONLY_TLS10)
      strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
    else
      strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
  
-  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
-    strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
+  if (tls_options & _HTTP_TLS_ALLOW_RC4)
+    strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
+  else
+       strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
  
    strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
author	Pascal Ernster <git@hardfalcon.net>
	Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)
committer	Pascal Ernster <git@hardfalcon.net>
	Sun, 22 Oct 2017 20:34:42 +0000 (22:34 +0200)