Expand CBC filter on macOS.
Add support for --tls10 and --no-cbc options with tlscheck.
#define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
#define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
#define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
+#define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
/*
error = SSLSetProtocolVersionMin(http->tls, minProtocol);
DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
+
+ if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
+ {
+ error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
+ }
}
# if HAVE_SSLSETENABLEDCIPHERS
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
+ case TLS_RSA_WITH_3DES_EDE_CBC_SHA :
+ case TLS_RSA_WITH_AES_128_CBC_SHA :
+ case TLS_RSA_WITH_AES_256_CBC_SHA :
if (tls_options & _HTTP_TLS_DENY_CBC)
{
DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i]));
strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+ else if (tls_options & _HTTP_TLS_ONLY_TLS10)
+ strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
else
strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
/*
* TLS check program for CUPS.
*
- * Copyright 2007-2015 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
{
tls_options |= _HTTP_TLS_ALLOW_DH;
}
+ else if (!strcmp(argv[i], "--no-cbc"))
+ {
+ tls_options |= _HTTP_TLS_DENY_CBC;
+ }
else if (!strcmp(argv[i], "--no-tls10"))
{
tls_options |= _HTTP_TLS_DENY_TLS10;
}
+ else if (!strcmp(argv[i], "--tls10"))
+ {
+ tls_options |= _HTTP_TLS_ONLY_TLS10;
+ }
else if (!strcmp(argv[i], "--rc4"))
{
tls_options |= _HTTP_TLS_ALLOW_RC4;
puts("");
puts("Options:");
puts(" --dh Allow DH/DHE key exchange");
+ puts(" --no-cbc Disable CBC cipher suites");
puts(" --no-tls10 Disable TLS/1.0");
puts(" --rc4 Allow RC4 encryption");
+ puts(" --tls10 Only use TLS/1.0");
puts(" --verbose Be verbose");
puts(" -4 Connect using IPv4 addresses only");
puts(" -6 Connect using IPv6 addresses only");