]> git.ipfire.org Git - thirdparty/cups.git/blob - cups/tlscheck.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
License change: Apache License, Version 2.0.
[thirdparty/cups.git] / cups / tlscheck.c
1 /*
2 * TLS check program for CUPS.
3 *
4 * Copyright 2007-2017 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
6 *
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
8 */
9
10 /*
11 * Include necessary headers...
12 */
13
14 #include "cups-private.h"
15
16
17 #ifndef HAVE_SSL
18 int main(void) { puts("Sorry, no TLS support compiled in."); return (1); }
19 #else
20
21 /*
22 * Local functions...
23 */
24
25 static void usage(void);
26
27
28 /*
29 * 'main()' - Main entry.
30 */
31
32 int /* O - Exit status */
33 main(int argc, /* I - Number of command-line arguments */
34 char *argv[]) /* I - Command-line arguments */
35 {
36 int i; /* Looping var */
37 http_t *http; /* HTTP connection */
38 const char *server = NULL; /* Hostname from command-line */
39 int port = 0; /* Port number */
40 const char *cipherName = "UNKNOWN";/* Cipher suite name */
41 int dhBits = 0; /* Diffie-Hellman bits */
42 int tlsVersion = 0; /* TLS version number */
43 char uri[1024], /* Printer URI */
44 scheme[32], /* URI scheme */
45 host[256], /* Hostname */
46 userpass[256], /* Username/password */
47 resource[256]; /* Resource path */
48 int af = AF_UNSPEC, /* Address family */
49 tls_options = _HTTP_TLS_NONE,
50 /* TLS options */
51 tls_min_version = _HTTP_TLS_1_0,
52 tls_max_version = _HTTP_TLS_MAX,
53 verbose = 0; /* Verbosity */
54 ipp_t *request, /* IPP Get-Printer-Attributes request */
55 *response; /* IPP Get-Printer-Attributes response */
56 ipp_attribute_t *attr; /* Current attribute */
57 const char *name; /* Attribute name */
58 char value[1024]; /* Attribute (string) value */
59 static const char * const pattrs[] = /* Requested attributes */
60 {
61 "color-supported",
62 "compression-supported",
63 "document-format-supported",
64 "pages-per-minute",
65 "printer-location",
66 "printer-make-and-model",
67 "printer-state",
68 "printer-state-reasons",
69 "sides-supported",
70 "uri-authentication-supported",
71 "uri-security-supported"
72 };
73
74
75 for (i = 1; i < argc; i ++)
76 {
77 if (!strcmp(argv[i], "--dh"))
78 {
79 tls_options |= _HTTP_TLS_ALLOW_DH;
80 }
81 else if (!strcmp(argv[i], "--no-cbc"))
82 {
83 tls_options |= _HTTP_TLS_DENY_CBC;
84 }
85 else if (!strcmp(argv[i], "--no-tls10"))
86 {
87 tls_min_version = _HTTP_TLS_1_1;
88 }
89 else if (!strcmp(argv[i], "--tls10"))
90 {
91 tls_min_version = _HTTP_TLS_1_0;
92 tls_max_version = _HTTP_TLS_1_0;
93 }
94 else if (!strcmp(argv[i], "--rc4"))
95 {
96 tls_options |= _HTTP_TLS_ALLOW_RC4;
97 }
98 else if (!strcmp(argv[i], "--verbose") || !strcmp(argv[i], "-v"))
99 {
100 verbose = 1;
101 }
102 else if (!strcmp(argv[i], "-4"))
103 {
104 af = AF_INET;
105 }
106 else if (!strcmp(argv[i], "-6"))
107 {
108 af = AF_INET6;
109 }
110 else if (argv[i][0] == '-')
111 {
112 printf("tlscheck: Unknown option '%s'.\n", argv[i]);
113 usage();
114 }
115 else if (!server)
116 {
117 if (!strncmp(argv[i], "ipps://", 7))
118 {
119 httpSeparateURI(HTTP_URI_CODING_ALL, argv[i], scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
120 server = host;
121 }
122 else
123 {
124 server = argv[i];
125 strlcpy(resource, "/ipp/print", sizeof(resource));
126 }
127 }
128 else if (!port && (argv[i][0] == '=' || isdigit(argv[i][0] & 255)))
129 {
130 if (argv[i][0] == '=')
131 port = atoi(argv[i] + 1);
132 else
133 port = atoi(argv[i]);
134 }
135 else
136 {
137 printf("tlscheck: Unexpected argument '%s'.\n", argv[i]);
138 usage();
139 }
140 }
141
142 if (!server)
143 usage();
144
145 if (!port)
146 port = 631;
147
148 _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
149
150 http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
151 if (!http)
152 {
153 printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
154 return (1);
155 }
156
157 #ifdef __APPLE__
158 SSLProtocol protocol;
159 SSLCipherSuite cipher;
160 char unknownCipherName[256];
161 int paramsNeeded = 0;
162 const void *params;
163 size_t paramsLen;
164 OSStatus err;
165
166 if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
167 {
168 printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
169 httpClose(http);
170 return (1);
171 }
172
173 switch (protocol)
174 {
175 default :
176 tlsVersion = 0;
177 break;
178 case kSSLProtocol3 :
179 tlsVersion = 30;
180 break;
181 case kTLSProtocol1 :
182 tlsVersion = 10;
183 break;
184 case kTLSProtocol11 :
185 tlsVersion = 11;
186 break;
187 case kTLSProtocol12 :
188 tlsVersion = 12;
189 break;
190 }
191
192 if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
193 {
194 printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
195 httpClose(http);
196 return (1);
197 }
198
199 switch (cipher)
200 {
201 case TLS_NULL_WITH_NULL_NULL:
202 cipherName = "TLS_NULL_WITH_NULL_NULL";
203 break;
204 case TLS_RSA_WITH_NULL_MD5:
205 cipherName = "TLS_RSA_WITH_NULL_MD5";
206 break;
207 case TLS_RSA_WITH_NULL_SHA:
208 cipherName = "TLS_RSA_WITH_NULL_SHA";
209 break;
210 case TLS_RSA_WITH_RC4_128_MD5:
211 cipherName = "TLS_RSA_WITH_RC4_128_MD5";
212 break;
213 case TLS_RSA_WITH_RC4_128_SHA:
214 cipherName = "TLS_RSA_WITH_RC4_128_SHA";
215 break;
216 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
217 cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
218 break;
219 case TLS_RSA_WITH_NULL_SHA256:
220 cipherName = "TLS_RSA_WITH_NULL_SHA256";
221 break;
222 case TLS_RSA_WITH_AES_128_CBC_SHA256:
223 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
224 break;
225 case TLS_RSA_WITH_AES_256_CBC_SHA256:
226 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
227 break;
228 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
229 cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
230 paramsNeeded = 1;
231 break;
232 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
233 cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
234 paramsNeeded = 1;
235 break;
236 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
237 cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
238 paramsNeeded = 1;
239 break;
240 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
241 cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
242 paramsNeeded = 1;
243 break;
244 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
245 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
246 paramsNeeded = 1;
247 break;
248 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
249 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
250 paramsNeeded = 1;
251 break;
252 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
253 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
254 paramsNeeded = 1;
255 break;
256 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
257 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
258 paramsNeeded = 1;
259 break;
260 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
261 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
262 paramsNeeded = 1;
263 break;
264 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
265 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
266 paramsNeeded = 1;
267 break;
268 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
269 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
270 paramsNeeded = 1;
271 break;
272 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
273 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
274 paramsNeeded = 1;
275 break;
276 case TLS_DH_anon_WITH_RC4_128_MD5:
277 cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
278 paramsNeeded = 1;
279 break;
280 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
281 cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
282 paramsNeeded = 1;
283 break;
284 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
285 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
286 paramsNeeded = 1;
287 break;
288 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
289 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
290 paramsNeeded = 1;
291 break;
292 case TLS_PSK_WITH_RC4_128_SHA:
293 cipherName = "TLS_PSK_WITH_RC4_128_SHA";
294 break;
295 case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
296 cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
297 break;
298 case TLS_PSK_WITH_AES_128_CBC_SHA:
299 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
300 break;
301 case TLS_PSK_WITH_AES_256_CBC_SHA:
302 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
303 break;
304 case TLS_DHE_PSK_WITH_RC4_128_SHA:
305 cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
306 paramsNeeded = 1;
307 break;
308 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
309 cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
310 paramsNeeded = 1;
311 break;
312 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
313 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
314 paramsNeeded = 1;
315 break;
316 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
317 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
318 paramsNeeded = 1;
319 break;
320 case TLS_RSA_PSK_WITH_RC4_128_SHA:
321 cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
322 break;
323 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
324 cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
325 break;
326 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
327 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
328 break;
329 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
330 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
331 break;
332 case TLS_PSK_WITH_NULL_SHA:
333 cipherName = "TLS_PSK_WITH_NULL_SHA";
334 break;
335 case TLS_DHE_PSK_WITH_NULL_SHA:
336 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
337 paramsNeeded = 1;
338 break;
339 case TLS_RSA_PSK_WITH_NULL_SHA:
340 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
341 break;
342 case TLS_RSA_WITH_AES_128_GCM_SHA256:
343 cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
344 break;
345 case TLS_RSA_WITH_AES_256_GCM_SHA384:
346 cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
347 break;
348 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
349 cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
350 paramsNeeded = 1;
351 break;
352 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
353 cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
354 paramsNeeded = 1;
355 break;
356 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
357 cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
358 paramsNeeded = 1;
359 break;
360 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
361 cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
362 paramsNeeded = 1;
363 break;
364 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
365 cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
366 paramsNeeded = 1;
367 break;
368 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
369 cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
370 paramsNeeded = 1;
371 break;
372 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
373 cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
374 paramsNeeded = 1;
375 break;
376 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
377 cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
378 paramsNeeded = 1;
379 break;
380 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
381 cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
382 paramsNeeded = 1;
383 break;
384 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
385 cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
386 paramsNeeded = 1;
387 break;
388 case TLS_PSK_WITH_AES_128_GCM_SHA256:
389 cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
390 break;
391 case TLS_PSK_WITH_AES_256_GCM_SHA384:
392 cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
393 break;
394 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
395 cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
396 paramsNeeded = 1;
397 break;
398 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
399 cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
400 paramsNeeded = 1;
401 break;
402 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
403 cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
404 break;
405 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
406 cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
407 break;
408 case TLS_PSK_WITH_AES_128_CBC_SHA256:
409 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
410 break;
411 case TLS_PSK_WITH_AES_256_CBC_SHA384:
412 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
413 break;
414 case TLS_PSK_WITH_NULL_SHA256:
415 cipherName = "TLS_PSK_WITH_NULL_SHA256";
416 break;
417 case TLS_PSK_WITH_NULL_SHA384:
418 cipherName = "TLS_PSK_WITH_NULL_SHA384";
419 break;
420 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
421 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
422 paramsNeeded = 1;
423 break;
424 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
425 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
426 paramsNeeded = 1;
427 break;
428 case TLS_DHE_PSK_WITH_NULL_SHA256:
429 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
430 paramsNeeded = 1;
431 break;
432 case TLS_DHE_PSK_WITH_NULL_SHA384:
433 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
434 paramsNeeded = 1;
435 break;
436 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
437 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
438 break;
439 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
440 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
441 break;
442 case TLS_RSA_PSK_WITH_NULL_SHA256:
443 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
444 break;
445 case TLS_RSA_PSK_WITH_NULL_SHA384:
446 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
447 break;
448 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
449 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
450 paramsNeeded = 1;
451 break;
452 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
453 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
454 paramsNeeded = 1;
455 break;
456 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
457 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
458 paramsNeeded = 1;
459 break;
460 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
461 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
462 paramsNeeded = 1;
463 break;
464 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
465 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
466 paramsNeeded = 1;
467 break;
468 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
469 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
470 paramsNeeded = 1;
471 break;
472 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
473 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
474 paramsNeeded = 1;
475 break;
476 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
477 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
478 paramsNeeded = 1;
479 break;
480 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
481 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
482 paramsNeeded = 1;
483 break;
484 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
485 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
486 paramsNeeded = 1;
487 break;
488 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
489 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
490 paramsNeeded = 1;
491 break;
492 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
493 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
494 paramsNeeded = 1;
495 break;
496 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
497 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
498 paramsNeeded = 1;
499 break;
500 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
501 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
502 paramsNeeded = 1;
503 break;
504 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
505 cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
506 paramsNeeded = 1;
507 break;
508 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
509 cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
510 paramsNeeded = 1;
511 break;
512 case TLS_RSA_WITH_AES_128_CBC_SHA:
513 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA";
514 break;
515 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
516 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
517 paramsNeeded = 1;
518 break;
519 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
520 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
521 paramsNeeded = 1;
522 break;
523 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
524 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
525 paramsNeeded = 1;
526 break;
527 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
528 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
529 paramsNeeded = 1;
530 break;
531 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
532 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA";
533 paramsNeeded = 1;
534 break;
535 case TLS_RSA_WITH_AES_256_CBC_SHA:
536 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA";
537 break;
538 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
539 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
540 paramsNeeded = 1;
541 break;
542 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
543 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
544 paramsNeeded = 1;
545 break;
546 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
547 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
548 paramsNeeded = 1;
549 break;
550 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
551 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
552 paramsNeeded = 1;
553 break;
554 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
555 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA";
556 paramsNeeded = 1;
557 break;
558 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
559 cipherName = "TLS_ECDH_ECDSA_WITH_NULL_SHA";
560 paramsNeeded = 1;
561 break;
562 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
563 cipherName = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
564 paramsNeeded = 1;
565 break;
566 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
567 cipherName = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
568 paramsNeeded = 1;
569 break;
570 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
571 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
572 paramsNeeded = 1;
573 break;
574 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
575 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
576 paramsNeeded = 1;
577 break;
578 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
579 cipherName = "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
580 paramsNeeded = 1;
581 break;
582 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
583 cipherName = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
584 paramsNeeded = 1;
585 break;
586 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
587 cipherName = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
588 paramsNeeded = 1;
589 break;
590 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
591 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
592 paramsNeeded = 1;
593 break;
594 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
595 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
596 paramsNeeded = 1;
597 break;
598 case TLS_ECDH_RSA_WITH_NULL_SHA:
599 cipherName = "TLS_ECDH_RSA_WITH_NULL_SHA";
600 paramsNeeded = 1;
601 break;
602 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
603 cipherName = "TLS_ECDH_RSA_WITH_RC4_128_SHA";
604 paramsNeeded = 1;
605 break;
606 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
607 cipherName = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
608 paramsNeeded = 1;
609 break;
610 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
611 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
612 paramsNeeded = 1;
613 break;
614 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
615 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
616 paramsNeeded = 1;
617 break;
618 case TLS_ECDHE_RSA_WITH_NULL_SHA:
619 cipherName = "TLS_ECDHE_RSA_WITH_NULL_SHA";
620 paramsNeeded = 1;
621 break;
622 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
623 cipherName = "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
624 paramsNeeded = 1;
625 break;
626 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
627 cipherName = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
628 paramsNeeded = 1;
629 break;
630 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
631 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
632 paramsNeeded = 1;
633 break;
634 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
635 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
636 paramsNeeded = 1;
637 break;
638 case TLS_ECDH_anon_WITH_NULL_SHA:
639 cipherName = "TLS_ECDH_anon_WITH_NULL_SHA";
640 paramsNeeded = 1;
641 break;
642 case TLS_ECDH_anon_WITH_RC4_128_SHA:
643 cipherName = "TLS_ECDH_anon_WITH_RC4_128_SHA";
644 paramsNeeded = 1;
645 break;
646 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
647 cipherName = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
648 paramsNeeded = 1;
649 break;
650 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
651 cipherName = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
652 paramsNeeded = 1;
653 break;
654 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
655 cipherName = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
656 paramsNeeded = 1;
657 break;
658 default :
659 snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
660 cipherName = unknownCipherName;
661 break;
662 }
663
664 if (cipher == TLS_RSA_WITH_RC4_128_MD5 ||
665 cipher == TLS_RSA_WITH_RC4_128_SHA)
666 {
667 printf("%s: ERROR (Printers MUST NOT negotiate RC4 cipher suites.)\n", server);
668 httpClose(http);
669 return (1);
670 }
671
672 if ((err = SSLGetDiffieHellmanParams(http->tls, &params, &paramsLen)) != noErr && paramsNeeded)
673 {
674 printf("%s: ERROR (Unable to get Diffie-Hellman parameters - %d)\n", server, (int)err);
675 httpClose(http);
676 return (1);
677 }
678
679 if (paramsLen < 128 && paramsLen != 0)
680 {
681 printf("%s: ERROR (Diffie-Hellman parameters MUST be at least 2048 bits, but Printer uses only %d bits/%d bytes)\n", server, (int)paramsLen * 8, (int)paramsLen);
682 httpClose(http);
683 return (1);
684 }
685
686 dhBits = (int)paramsLen * 8;
687 #endif /* __APPLE__ */
688
689 if (dhBits > 0)
690 printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits);
691 else
692 printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
693
694 if (verbose)
695 {
696 httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
697 request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
698 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
699 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
700 ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(pattrs) / sizeof(pattrs[0])), NULL, pattrs);
701
702 response = cupsDoRequest(http, request, resource);
703
704 for (attr = ippFirstAttribute(response); attr; attr = ippNextAttribute(response))
705 {
706 if (ippGetGroupTag(attr) != IPP_TAG_PRINTER)
707 continue;
708
709 if ((name = ippGetName(attr)) == NULL)
710 continue;
711
712 ippAttributeString(attr, value, sizeof(value));
713 printf(" %s=%s\n", name, value);
714 }
715
716 ippDelete(response);
717 }
718
719 httpClose(http);
720
721 return (0);
722 }
723
724
725 /*
726 * 'usage()' - Show program usage.
727 */
728
729 static void
730 usage(void)
731 {
732 puts("Usage: ./tlscheck [options] server [port]");
733 puts(" ./tlscheck [options] ipps://server[:port]/path");
734 puts("");
735 puts("Options:");
736 puts(" --dh Allow DH/DHE key exchange");
737 puts(" --no-cbc Disable CBC cipher suites");
738 puts(" --no-tls10 Disable TLS/1.0");
739 puts(" --rc4 Allow RC4 encryption");
740 puts(" --tls10 Only use TLS/1.0");
741 puts(" --verbose Be verbose");
742 puts(" -4 Connect using IPv4 addresses only");
743 puts(" -6 Connect using IPv6 addresses only");
744 puts(" -v Be verbose");
745 puts("");
746 puts("The default port is 631.");
747
748 exit(1);
749 }
750 #endif /* !HAVE_SSL */
Unnamed repository; edit this file 'description' to name the repository.