- The `cupsConnectDest` function now supports the `CUPS_DEST_FLAGS_DEVICE` flag
for explicitly connecting to the device (printer) associated with the
destination.
+- The `SSLOptions` directive in "client.conf" and "cupsd.conf" now supports
+ `DenyCBC` and `DenyTLS1.0` options (Issue #5037)
CHANGES IN CUPS V2.2.3
/*
* Private HTTP definitions for CUPS.
*
- * Copyright 2007-2016 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
#define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
#define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
#define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
+#define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
/*
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA :
case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA :
-// case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA :
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA :
case TLS_DH_DSS_WITH_AES_128_CBC_SHA256 :
case TLS_DH_RSA_WITH_AES_128_CBC_SHA256 :
case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA :
case TLS_DHE_PSK_WITH_AES_128_CBC_SHA :
case TLS_DHE_PSK_WITH_AES_256_CBC_SHA :
+ case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
+ case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
+ if (tls_options & _HTTP_TLS_DENY_CBC)
+ {
+ DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i]));
+ break;
+ }
+
// case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
// case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
case TLS_DH_RSA_WITH_AES_128_GCM_SHA256 :
case TLS_DH_DSS_WITH_AES_256_GCM_SHA384 :
case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
- case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
- case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
if (tls_options & _HTTP_TLS_ALLOW_DH)
enabled[num_enabled ++] = supported[i];
else
DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i]));
break;
- /* Anything else we'll assume is secure */
+ case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA :
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
+ if (tls_options & _HTTP_TLS_DENY_CBC)
+ {
+ DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i]));
+ break;
+ }
+
+ /* Anything else we'll assume is "secure" */
default :
enabled[num_enabled ++] = supported[i];
break;
if (!(tls_options & _HTTP_TLS_ALLOW_DH))
strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
+ if (!(tls_options & _HTTP_TLS_DENY_CBC))
+ strlcat(priority_string, ":!CBC", sizeof(priority_string));
+
#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
gnutls_priority_set_direct(http->tls, priority_string, NULL);
}
#endif /* SP_PROT_TLS1_2_SERVER */
- /* TODO: Support _HTTP_TLS_ALLOW_RC4 and _HTTP_TLS_ALLOW_DH options; right now we'll rely on Windows registry to enable/disable RC4/DH... */
+ /* TODO: Support _HTTP_TLS_ALLOW_RC4, _HTTP_TLS_ALLOW_DH, and _HTTP_TLS_DENY_CBC options; right now we'll rely on Windows registry to enable/disable RC4/DH/CBC... */
/*
* Create an SSPI credential.
options |= _HTTP_TLS_ALLOW_SSL3;
else if (!_cups_strcasecmp(start, "AllowDH"))
options |= _HTTP_TLS_ALLOW_DH;
+ else if (!_cups_strcasecmp(start, "DenyCBC"))
+ options |= _HTTP_TLS_DENY_CBC;
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
options |= _HTTP_TLS_DENY_TLS10;
else if (!_cups_strcasecmp(start, "None"))
.\"
.\" client.conf man page for CUPS.
.\"
-.\" Copyright 2007-2016 by Apple Inc.
+.\" Copyright 2007-2017 by Apple Inc.
.\" Copyright 2006 by Easy Software Products.
.\"
.\" These coded instructions, statements, and computer programs are the
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH client.conf 5 "CUPS" "20 June 2016" "Apple Inc."
+.TH client.conf 5 "CUPS" "26 June 2017" "Apple Inc."
.SH NAME
client.conf \- client configuration file for cups
.SH DESCRIPTION
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
.TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyTLS1.0\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
.TP 5
\fBSSLOptions None\fR
Sets encryption options (only in /etc/cups/client.conf).
The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
.TP 5
\fBTrustOnFirstUse Yes\fR
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cupsd.conf 5 "CUPS" "21 June 2016" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "26 June 2017" "Apple Inc."
.SH NAME
cupsd.conf \- server configuration file for cups
.SH DESCRIPTION
Listens on the specified address and port for encrypted connections.
.\"#SSLOptions
.TP 5
-\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
.TP 5
\fBSSLOptions None\fR
Sets encryption options.
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The \fIDenyCBC\fR option disables all CBC cipher suites.
+The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
.\"#SSLPort
.TP 5
\fBSSLPort \fIport\fR
else if (!_cups_strcasecmp(line, "SSLOptions"))
{
/*
- * SSLOptions [AllowRC4] [AllowSSL3] [None]
+ * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None]
*/
int options = 0; /* SSL/TLS options */
options |= _HTTP_TLS_ALLOW_RC4;
else if (!_cups_strcasecmp(start, "AllowSSL3"))
options |= _HTTP_TLS_ALLOW_SSL3;
+ else if (!_cups_strcasecmp(start, "AllowDH"))
+ options |= _HTTP_TLS_ALLOW_DH;
+ else if (!_cups_strcasecmp(start, "DenyCBC"))
+ options |= _HTTP_TLS_DENY_CBC;
+ else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
+ options |= _HTTP_TLS_DENY_TLS10;
else if (!_cups_strcasecmp(start, "None"))
options = 0;
else if (_cups_strcasecmp(start, "NoEmptyFragments"))