From: msweet Date: Wed, 20 May 2015 18:37:52 +0000 (+0000) Subject: More tweaks for cipher suite restrictions. X-Git-Tag: v2.2b1~295 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b37d45d9edf36de04536cdb398ee08a025b5e6bb;p=thirdparty%2Fcups.git More tweaks for cipher suite restrictions. git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12647 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 2ad8254846..529f506886 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -41,7 +41,7 @@ static char *tls_keypath = NULL; /* Server cert keychain path */ static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */ -static int tls_options = 0;/* Options for TLS connections */ +static int tls_options = -1;/* Options for TLS connections */ #endif /* HAVE_SECKEYCHAINOPEN */ @@ -1009,7 +1009,14 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ http_credential_t *credential; /* Credential data */ - DEBUG_printf(("7_httpTLSStart(http=%p)", http)); + DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); + _cupsSetDefaults(); + DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options)); + } #ifdef HAVE_SECKEYCHAINOPEN if (http->mode == _HTTP_MODE_SERVER && !tls_keychain) @@ -1131,6 +1138,7 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_RSA_PSK_WITH_NULL_SHA256 : case TLS_RSA_PSK_WITH_NULL_SHA384 : case SSL_RSA_WITH_DES_CBC_MD5 : + DEBUG_printf(("4_httpTLSStart: Excluding insecure cipher suite %d", supported[i])); break; /* RC4 cipher suites that should only be used as a last resort */ @@ -1145,6 +1153,8 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_RSA_PSK_WITH_RC4_128_SHA : if (tls_options & _HTTP_TLS_ALLOW_RC4) enabled[num_enabled ++] = supported[i]; + else + DEBUG_printf(("4_httpTLSStart: Excluding RC4 cipher suite %d", supported[i])); break; /* DH/DHE cipher suites that are problematic with parameters < 1024 bits */ @@ -1185,6 +1195,8 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : if (tls_options & _HTTP_TLS_ALLOW_DH) enabled[num_enabled ++] = supported[i]; + else + DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i])); break; /* Anything else we'll assume is secure */ diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 424fa4932e..d78a5d63c3 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -36,7 +36,7 @@ static char *tls_keypath = NULL; /* Server cert keychain path */ static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */ -static int tls_options = 0;/* Options for TLS connections */ +static int tls_options = -1;/* Options for TLS connections */ /* @@ -1032,7 +1032,14 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ /* Priority string */ - DEBUG_printf(("7_httpTLSStart(http=%p)", http)); + DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); + _cupsSetDefaults(); + DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options)); + } if (http->mode == _HTTP_MODE_SERVER && !tls_keypath) { diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c index f5c44d0fbf..25be327d18 100644 --- a/cups/tls-sspi.c +++ b/cups/tls-sspi.c @@ -54,7 +54,7 @@ * Local globals... */ -static int tls_options = 0;/* Options for TLS connections */ +static int tls_options = -1;/* Options for TLS connections */ /* @@ -930,7 +930,14 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ *hostptr; /* Pointer into hostname */ - DEBUG_printf(("7_httpTLSStart(http=%p)", http)); + DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); + _cupsSetDefaults(); + DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options)); + } if ((http->tls = http_sspi_alloc()) == NULL) return (-1); diff --git a/cups/usersys.c b/cups/usersys.c index 42294a9e8a..77ee7fc65d 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -1250,6 +1250,8 @@ cups_set_ssl_options( } cc->ssl_options = options; + + DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", cc, value, options)); } #endif /* HAVE_SSL */