Fix "DenyCBC" priority string with GNU TLS.

diff --git a/CHANGES.md b/CHANGES.md
index b247c1f1c86b074f32fc0fcfb94107402b2350f3..5ff87a7312d21db20d96f53f30305238555ebcc4 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.2.5 - 2017-07-19
+CHANGES - 2.2.5 - 2017-07-23
 ============================
 
 CHANGES IN CUPS V2.2.5
@@ -28,6 +28,7 @@ CHANGES IN CUPS V2.2.5
   printers (rdar://33250434)
 - Fixed the `cups.strings` file that is used on macOS (rdar://33287650)
 - CUPS now sends the `Date` HTTP header in IPP requests (rdar://33302034)
+- Fixed the DenyCBC option when using GNU TLS.
 
 
 CHANGES IN CUPS V2.2.4

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 48bc11aa96a92df1136282e9b140ad23ecbaa589..d77e20789c37c7020929f223baa9344a64d5fe98 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1242,7 +1242,7 @@ _httpTLSStart(http_t *http)               /* I - Connection to server */
   int                  status;         /* Status of handshake */
   gnutls_certificate_credentials_t *credentials;
                                        /* TLS credentials */
-  char                 priority_string[1024];
+  char                 priority_string[2048];
                                        /* Priority string */
 
 
@@ -1519,7 +1519,7 @@ _httpTLSStart(http_t *http)               /* I - Connection to server */
     strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
 
   if (!(tls_options & _HTTP_TLS_DENY_CBC))
-    strlcat(priority_string, ":!CBC", sizeof(priority_string));
+    strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
 
 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
   gnutls_priority_set_direct(http->tls, priority_string, NULL);