More tweaks for cipher suite restrictions.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12647 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c
index 2ad8254846f1b86ee4b57d51b70f4b38da799ac5..529f506886a2a99790df0554ced0a7b072c6e032 100644 (file)
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -41,7 +41,7 @@ static char           *tls_keypath = NULL;
                                        /* Server cert keychain path */
 static _cups_mutex_t   tls_mutex = _CUPS_MUTEX_INITIALIZER;
                                        /* Mutex for keychain/certs */
-static int             tls_options = 0;/* Options for TLS connections */
+static int             tls_options = -1;/* Options for TLS connections */
 #endif /* HAVE_SECKEYCHAINOPEN */
 
 
@@ -1009,7 +1009,14 @@ _httpTLSStart(http_t *http)              /* I - HTTP connection */
   http_credential_t    *credential;    /* Credential data */
 
 
-  DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+  DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+
+  if (tls_options < 0)
+  {
+    DEBUG_puts("4_httpTLSStart: Setting defaults.");
+    _cupsSetDefaults();
+    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+  }
 
 #ifdef HAVE_SECKEYCHAINOPEN
   if (http->mode == _HTTP_MODE_SERVER && !tls_keychain)
@@ -1131,6 +1138,7 @@ _httpTLSStart(http_t *http)               /* I - HTTP connection */
          case TLS_RSA_PSK_WITH_NULL_SHA256 :
          case TLS_RSA_PSK_WITH_NULL_SHA384 :
          case SSL_RSA_WITH_DES_CBC_MD5 :
+             DEBUG_printf(("4_httpTLSStart: Excluding insecure cipher suite %d", supported[i]));
              break;
 
           /* RC4 cipher suites that should only be used as a last resort */
@@ -1145,6 +1153,8 @@ _httpTLSStart(http_t *http)               /* I - HTTP connection */
          case TLS_RSA_PSK_WITH_RC4_128_SHA :
              if (tls_options & _HTTP_TLS_ALLOW_RC4)
                enabled[num_enabled ++] = supported[i];
+             else
+               DEBUG_printf(("4_httpTLSStart: Excluding RC4 cipher suite %d", supported[i]));
              break;
 
           /* DH/DHE cipher suites that are problematic with parameters < 1024 bits */
@@ -1185,6 +1195,8 @@ _httpTLSStart(http_t *http)               /* I - HTTP connection */
           case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
               if (tls_options & _HTTP_TLS_ALLOW_DH)
                enabled[num_enabled ++] = supported[i];
+             else
+               DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i]));
               break;
 
           /* Anything else we'll assume is secure */

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 424fa4932ee3b0952131311852966c5e18331e83..d78a5d63c3c3f388e0441aaa3d4dda038f5cde45 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -36,7 +36,7 @@ static char           *tls_keypath = NULL;
                                        /* Server cert keychain path */
 static _cups_mutex_t   tls_mutex = _CUPS_MUTEX_INITIALIZER;
                                        /* Mutex for keychain/certs */
-static int             tls_options = 0;/* Options for TLS connections */
+static int             tls_options = -1;/* Options for TLS connections */
 
 
 /*
@@ -1032,7 +1032,14 @@ _httpTLSStart(http_t *http)              /* I - Connection to server */
                                        /* Priority string */
 
 
-  DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+  DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+
+  if (tls_options < 0)
+  {
+    DEBUG_puts("4_httpTLSStart: Setting defaults.");
+    _cupsSetDefaults();
+    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+  }
 
   if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
   {

diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c
index f5c44d0fbfa3c574722325aaccadc545f53f4861..25be327d18b2f9ef627b28918df1fab0d1197440 100644 (file)
--- a/cups/tls-sspi.c
+++ b/cups/tls-sspi.c
@@ -54,7 +54,7 @@
  * Local globals...
  */
 
-static int             tls_options = 0;/* Options for TLS connections */
+static int             tls_options = -1;/* Options for TLS connections */
 
 
 /*
@@ -930,7 +930,14 @@ _httpTLSStart(http_t *http)                /* I - HTTP connection */
        *hostptr;                       /* Pointer into hostname */
 
 
-  DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+  DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+
+  if (tls_options < 0)
+  {
+    DEBUG_puts("4_httpTLSStart: Setting defaults.");
+    _cupsSetDefaults();
+    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+  }
 
   if ((http->tls = http_sspi_alloc()) == NULL)
     return (-1);

diff --git a/cups/usersys.c b/cups/usersys.c
index 42294a9e8aaf893f2257007d038bb52556015eb8..77ee7fc65d7a5e0965c32d7fa64f6174eaefe430 100644 (file)
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -1250,6 +1250,8 @@ cups_set_ssl_options(
   }
 
   cc->ssl_options = options;
+
+  DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", cc, value, options));
 }
 #endif /* HAVE_SSL */