From: Pascal Ernster Date: Sun, 22 Oct 2017 20:12:18 +0000 (+0200) Subject: Revert "Changed AllowDH to no-op on gnutls platforms, explicitly disabled ANON-DH... X-Git-Tag: v2.2.6~11^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5ee613bbc6881d159a5e350eff25530c32c11a6d;p=thirdparty%2Fcups.git Revert "Changed AllowDH to no-op on gnutls platforms, explicitly disabled ANON-DH and ANON-ECDH ciphersuites on gnutls" This reverts commit 46a7b416ee5f64ff3d4b98ef333e5d74b9f0c29f. --- diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index cab657ce4c..379ecf9e04 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1499,7 +1499,7 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ return (-1); } - strlcpy(priority_string, "NORMAL:!ANON-ECDH:!ANON-DH", sizeof(priority_string)); + strlcpy(priority_string, "NORMAL", sizeof(priority_string)); if (tls_options & _HTTP_TLS_DENY_TLS10) strlcat(priority_string, ":+VERS-TLS-ALL:!VERS-TLS1.0:!VERS-SSL3.0", sizeof(priority_string)); @@ -1515,7 +1515,10 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ else strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string)); - /* _HTTP_TLS_ALLOW_DH cannot be implemented with gnutls */ + if (tls_options & _HTTP_TLS_ALLOW_DH) + strlcat(priority_string, ":+ANON-DH", sizeof(priority_string)); + else + strlcat(priority_string, ":!ANON-DH", sizeof(priority_string)); if (tls_options & _HTTP_TLS_DENY_CBC) strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string)); diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html index eaef850315..1a22a8618d 100644 --- a/doc/help/man-cupsd.conf.html +++ b/doc/help/man-cupsd.conf.html @@ -283,10 +283,10 @@ The default is "Minimal".
SSLOptions None
Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. -The AllowDH option enables cipher suites using static Diffie-Hellman key negotiation. This option is currently only supported on macOS. -The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. This option is currently not supported on Windows. -The AllowSSL3 option enables the SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0. -The DenyCBC option disables all CBC cipher suites. This option is currently not supported on Windows. +The AllowDH option enables cipher suites using the horribly insecure anonymous Diffie-Hellman key negotiation which is vulnerable to man-in-the-middle attacks. +The AllowRC4 option enables the insecure 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The AllowSSL3 option enables the insecure SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0. +The DenyCBC option disables all CBC cipher suites. The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
SSLPort port
Listens on the specified port for encrypted connections. diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in index b450e3e9a0..6e9690b43f 100644 --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -445,10 +445,10 @@ Listens on the specified address and port for encrypted connections. \fBSSLOptions None\fR Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. -The \fIAllowDH\fR option enables cipher suites using static Diffie-Hellman key negotiation. This option is currently only supported on macOS. -The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. This option is currently not supported on Windows. -The \fIAllowSSL3\fR option enables the SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0. -The \fIDenyCBC\fR option disables all CBC cipher suites. This option is currently not supported on Windows. +The \fIAllowDH\fR option enables cipher suites using the horribly insecure anonymous Diffie-Hellman key negotiation which is vulnerable to man-in-the-middle attacks. +The \fIAllowRC4\fR option enables the insecure 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The \fIAllowSSL3\fR option enables the insecure SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0. +The \fIDenyCBC\fR option disables all CBC cipher suites. The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. .\"#SSLPort .TP 5