From: Zdenek Dohnal Date: Tue, 7 Jan 2025 14:12:15 +0000 (+0100) Subject: Add `NoSystem` SSLOptions value X-Git-Tag: v2.4.12~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40e62848ab3aa94b98dfaf1334e1c478c266bc73;p=thirdparty%2Fcups.git Add `NoSystem` SSLOptions value In case using system crypto policy breaks communication with device irreversibly (f.e. if device does not support better key exchange algorithm), the new option value gives a way how to opt-out from crypto policy if user do not want to change default system crypto policy for the whole machine. --- diff --git a/CHANGES.md b/CHANGES.md index 9fba982994..319b6e2833 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,7 @@ Changes in CUPS v2.4.12 (YYYY-MM-DD) ------------------------------------ - GnuTLS follows system crypto policies now (Issue #1105) +- Added `NoSystem` SSLOptions value (Issue #1130) - Fixed a compressed file error handling bug (Issue #1070) - Fixed a bug in the make-and-model whitespace trimming code (Issue #1096) - Fixed a removal of IPP Everywhere permanent queue if installation failed (Issue #1102) diff --git a/cups/http-private.h b/cups/http-private.h index 5f77b8ef00..f248bbb8dc 100644 --- a/cups/http-private.h +++ b/cups/http-private.h @@ -131,7 +131,8 @@ extern "C" { # define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ # define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */ # define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */ -# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ +# define _HTTP_TLS_NO_SYSTEM 8 /* No system crypto policy */ +# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ # define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */ # define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */ diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 719161da72..e8224b217d 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + priority_string[0] = '\0'; + if (tls_options < 0) { DEBUG_puts("4_httpTLSStart: Setting defaults."); @@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ return (-1); } - strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string)); + if (!(tls_options & _HTTP_TLS_NO_SYSTEM)) + strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string)); + + strlcat(priority_string, "NORMAL", sizeof(priority_string)); if (tls_max_version < _HTTP_TLS_MAX) { diff --git a/cups/usersys.c b/cups/usersys.c index f752159b09..6075873077 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -1608,6 +1608,8 @@ cups_set_ssl_options( min_version = _HTTP_TLS_1_3; else if (!_cups_strcasecmp(start, "None")) options = _HTTP_TLS_NONE; + else if (!_cups_strcasecmp(start, "NoSystem")) + options |= _HTTP_TLS_NO_SYSTEM; } cc->ssl_options = options; diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html index 81cd73a1a6..9194481bba 100644 --- a/doc/help/man-client.conf.html +++ b/doc/help/man-client.conf.html @@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n Note: This directive is not supported on macOS 10.7 or later.
ServerName hostname-or-ip-address[:port]/version=1.1
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. -
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] +
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem]
SSLOptions None
Sets encryption options (only in /etc/cups/client.conf). By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. @@ -57,6 +57,7 @@ The DenyCBC option disables all CBC cipher suites. The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. The MinTLS options set the minimum TLS version to support. The MaxTLS options set the maximum TLS version to support. +The NoSystem option disables applying system cryptographic policy. Not all operating systems support TLS 1.3 at this time.
TrustOnFirstUse Yes
TrustOnFirstUse No diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html index 4fd42f3141..4a53953877 100644 --- a/doc/help/man-cupsd.conf.html +++ b/doc/help/man-cupsd.conf.html @@ -285,7 +285,7 @@ The default is "Minimal".
SSLListen [ipv6-address]:port
SSLListen *:port
Listens on the specified address and port for encrypted connections. -
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] +
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem]
SSLOptions None
Sets encryption options (only in /etc/cups/client.conf). By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. @@ -298,6 +298,7 @@ The DenyCBC option disables all CBC cipher suites. The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. The MinTLS options set the minimum TLS version to support. The MaxTLS options set the maximum TLS version to support. +The NoSystem option disables applying system cryptographic policy. Not all operating systems support TLS 1.3 at this time.
SSLPort port
Listens on the specified port for encrypted connections. @@ -632,7 +633,7 @@ Require authentication for accesses from outside the 10. network: subscriptions.conf(5), CUPS Online Help (http://localhost:631/help)

Copyright

-Copyright © 2020-2023 by OpenPrinting. +Copyright © 2020-2024 by OpenPrinting. diff --git a/man/client.conf.5 b/man/client.conf.5 index 54808c09f9..56d6ec3ec0 100644 --- a/man/client.conf.5 +++ b/man/client.conf.5 @@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. .\"#SSLOptions .TP 5 -\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] +\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] .TP 5 \fBSSLOptions None\fR Sets encryption options (only in /etc/cups/client.conf). @@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. The \fIMinTLS\fR options set the minimum TLS version to support. The \fIMaxTLS\fR options set the maximum TLS version to support. +The \fINoSystem\fR option disables applying system cryptographic policy. Not all operating systems support TLS 1.3 at this time. .\"#TrustOnFirstUse .TP 5 diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5 index fd5762dfd0..4e1a7ca810 100644 --- a/man/cupsd.conf.5 +++ b/man/cupsd.conf.5 @@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections. .\"#SSLOptions .TP 5 .TP 5 -\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] +\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] .TP 5 \fBSSLOptions None\fR Sets encryption options (only in /etc/cups/client.conf). @@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. The \fIMinTLS\fR options set the minimum TLS version to support. The \fIMaxTLS\fR options set the maximum TLS version to support. +The \fINoSystem\fR option disables applying system cryptographic policy. Not all operating systems support TLS 1.3 at this time. .\"#SSLPort .TP 5 diff --git a/scheduler/conf.c b/scheduler/conf.c index 3184d72f01..3bf1764797 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ min_version = _HTTP_TLS_1_3; else if (!_cups_strcasecmp(start, "None")) options = _HTTP_TLS_NONE; + else if (!_cups_strcasecmp(start, "NoSystem")) + options |= _HTTP_TLS_NO_SYSTEM; else if (_cups_strcasecmp(start, "NoEmptyFragments")) cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum); }