From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Mon, 24 Jul 2017 00:02:57 +0000 (-0400)
Subject: Fix "DenyCBC" priority string with GNU TLS.
X-Git-Tag: v2.2.5~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e59cd062f1e12cda4d955c09ea6da5cee8a7bc2;p=thirdparty%2Fcups.git

Fix "DenyCBC" priority string with GNU TLS.
---

diff --git a/CHANGES.md b/CHANGES.md
index b247c1f1c8..5ff87a7312 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.2.5 - 2017-07-19
+CHANGES - 2.2.5 - 2017-07-23
 ============================
 
 CHANGES IN CUPS V2.2.5
@@ -28,6 +28,7 @@ CHANGES IN CUPS V2.2.5
   printers (rdar://33250434)
 - Fixed the `cups.strings` file that is used on macOS (rdar://33287650)
 - CUPS now sends the `Date` HTTP header in IPP requests (rdar://33302034)
+- Fixed the DenyCBC option when using GNU TLS.
 
 
 CHANGES IN CUPS V2.2.4
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 48bc11aa96..d77e20789c 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1242,7 +1242,7 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
   int			status;		/* Status of handshake */
   gnutls_certificate_credentials_t *credentials;
 					/* TLS credentials */
-  char			priority_string[1024];
+  char			priority_string[2048];
 					/* Priority string */
 
 
@@ -1519,7 +1519,7 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
     strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
 
   if (!(tls_options & _HTTP_TLS_DENY_CBC))
-    strlcat(priority_string, ":!CBC", sizeof(priority_string));
+    strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
 
 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
   gnutls_priority_set_direct(http->tls, priority_string, NULL);