----------------------
- Added USB quirks rules for Canon MP540 and Samsung ML-2160 (Issue #5148)
+- Fixed TLS cipher suite selection with GNU TLS (Issue #5145)
Changes in CUPS v2.2.5
* Constants...
*/
-
-#define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
-#define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
-#define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
-#define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
-#define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
-
-#define _HTTP_TLS_NONE 0 /* No TLS options */
-#define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
-#define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
-#define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
-#define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
-#define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
-#define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
+# define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
+# define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
+# define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
+# define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
+# define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
+
+# define _HTTP_TLS_NONE 0 /* No TLS options */
+# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
+# define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
+# define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
+# define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
+# define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
+# define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
+# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
/*
void
_httpTLSSetOptions(int options) /* I - Options */
{
- tls_options = options;
+ if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+ tls_options = options;
}
void
_httpTLSSetOptions(int options) /* I - Options */
{
- tls_options = options;
+ if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+ tls_options = options;
}
if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
- if (!(tls_options & _HTTP_TLS_ALLOW_DH))
- strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
+ strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
- if (!(tls_options & _HTTP_TLS_DENY_CBC))
+ if (tls_options & _HTTP_TLS_DENY_CBC)
strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
* TLS support for CUPS on Windows using the Security Support Provider
* Interface (SSPI).
*
- * Copyright 2010-2015 by Apple Inc.
+ * Copyright 2010-2017 by Apple Inc.
*
* These coded instructions, statements, and computer programs are the
* property of Apple Inc. and are protected by Federal copyright
void
_httpTLSSetOptions(int options) /* I - Options */
{
- tls_options = options;
+ if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+ tls_options = options;
}
cg->validate_certs = cc.validate_certs;
#ifdef HAVE_SSL
- _httpTLSSetOptions(cc.ssl_options);
+ _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
#endif /* HAVE_SSL */
}
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH client.conf 5 "CUPS" "26 June 2017" "Apple Inc."
+.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
.SH NAME
client.conf \- client configuration file for cups
.SH DESCRIPTION
\fBSSLOptions None\fR
Sets encryption options (only in /etc/cups/client.conf).
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
-The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
-The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
+Security is reduced when \fIAllow\fR options are used.
+Security is enhanced when \fIDeny\fR options are used.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients.
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cupsd.conf 5 "CUPS" "28 August 2017" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "19 October 2017" "Apple Inc."
.SH NAME
cupsd.conf \- server configuration file for cups
.SH DESCRIPTION
\fBSSLOptions None\fR
Sets encryption options.
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
-The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
-The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
+Security is reduced when \fIAllow\fR options are used.
+Security is enhanced when \fIDeny\fR options are used.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients.
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
projects / thirdparty / cups.git / commitdiff
