|
|
1d75c0 |
diff -up cups-2.2.6/cups/http-private.h.remove-weak-ciphers cups-2.2.6/cups/http-private.h
|
|
|
1d75c0 |
--- cups-2.2.6/cups/http-private.h.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/http-private.h 2018-08-07 11:53:54.985633959 +0200
|
|
|
1d75c0 |
@@ -180,13 +180,17 @@ extern "C" {
|
|
|
1d75c0 |
|
|
|
1d75c0 |
# define _HTTP_TLS_NONE 0 /* No TLS options */
|
|
|
1d75c0 |
# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
|
|
|
1d75c0 |
-# define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
|
|
|
1d75c0 |
-# define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
|
|
|
1d75c0 |
-# define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
|
|
|
1d75c0 |
-# define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
|
|
|
1d75c0 |
-# define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */
|
|
|
1d75c0 |
+# define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */
|
|
|
1d75c0 |
# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
|
|
|
1d75c0 |
|
|
|
1d75c0 |
+# define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_1_1 2 /* Min/max version is TLS/1.1 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_1_2 3 /* Min/max version is TLS/1.2 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_1_3 4 /* Min/max version is TLS/1.3 */
|
|
|
1d75c0 |
+# define _HTTP_TLS_MAX 5 /* Highest known TLS version */
|
|
|
1d75c0 |
+
|
|
|
1d75c0 |
|
|
|
1d75c0 |
/*
|
|
|
1d75c0 |
* Types and functions for SSL support...
|
|
|
1d75c0 |
@@ -442,7 +446,7 @@ extern void _httpTLSInitialize(void);
|
|
|
1d75c0 |
extern size_t _httpTLSPending(http_t *http);
|
|
|
1d75c0 |
extern int _httpTLSRead(http_t *http, char *buf, int len);
|
|
|
1d75c0 |
extern int _httpTLSSetCredentials(http_t *http);
|
|
|
1d75c0 |
-extern void _httpTLSSetOptions(int options);
|
|
|
1d75c0 |
+extern void _httpTLSSetOptions(int options, int min_version, int max_version);
|
|
|
1d75c0 |
extern int _httpTLSStart(http_t *http);
|
|
|
1d75c0 |
extern void _httpTLSStop(http_t *http);
|
|
|
1d75c0 |
extern int _httpTLSWrite(http_t *http, const char *buf, int len);
|
|
|
1d75c0 |
diff -up cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers cups-2.2.6/cups/tlscheck.c
|
|
|
1d75c0 |
--- cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/tlscheck.c 2018-08-07 11:53:54.987633942 +0200
|
|
|
1d75c0 |
@@ -54,6 +54,8 @@ main(int argc, /* I - Number of comm
|
|
|
1d75c0 |
int af = AF_UNSPEC, /* Address family */
|
|
|
1d75c0 |
tls_options = _HTTP_TLS_NONE,
|
|
|
1d75c0 |
/* TLS options */
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_0,
|
|
|
1d75c0 |
+ tls_max_version = _HTTP_TLS_MAX,
|
|
|
1d75c0 |
verbose = 0; /* Verbosity */
|
|
|
1d75c0 |
ipp_t *request, /* IPP Get-Printer-Attributes request */
|
|
|
1d75c0 |
*response; /* IPP Get-Printer-Attributes response */
|
|
|
1d75c0 |
@@ -88,11 +90,12 @@ main(int argc, /* I - Number of comm
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
else if (!strcmp(argv[i], "--no-tls10"))
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- tls_options |= _HTTP_TLS_DENY_TLS10;
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
else if (!strcmp(argv[i], "--tls10"))
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- tls_options |= _HTTP_TLS_ONLY_TLS10;
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
+ tls_max_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
else if (!strcmp(argv[i], "--rc4"))
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
@@ -148,7 +151,7 @@ main(int argc, /* I - Number of comm
|
|
|
1d75c0 |
if (!port)
|
|
|
1d75c0 |
port = 631;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- _httpTLSSetOptions(tls_options);
|
|
|
1d75c0 |
+ _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
|
|
|
1d75c0 |
|
|
|
1d75c0 |
http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
|
|
|
1d75c0 |
if (!http)
|
|
|
1d75c0 |
diff -up cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers cups-2.2.6/cups/tls-darwin.c
|
|
|
1d75c0 |
--- cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/tls-darwin.c 2018-08-07 11:53:54.986633951 +0200
|
|
|
1d75c0 |
@@ -53,7 +53,9 @@ static char *tls_keypath = NULL;
|
|
|
1d75c0 |
/* Server cert keychain path */
|
|
|
1d75c0 |
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
|
|
1d75c0 |
/* Mutex for keychain/certs */
|
|
|
1d75c0 |
-static int tls_options = -1;/* Options for TLS connections */
|
|
|
1d75c0 |
+static int tls_options = -1,/* Options for TLS connections */
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_0,
|
|
|
1d75c0 |
+ tls_max_version = _HTTP_TLS_MAX;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
/*
|
|
|
1d75c0 |
@@ -1139,10 +1141,16 @@ _httpTLSRead(http_t *http, /* I - HTTP
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
void
|
|
|
1d75c0 |
-_httpTLSSetOptions(int options) /* I - Options */
|
|
|
1d75c0 |
+_httpTLSSetOptions(int options, /* I - Options */
|
|
|
1d75c0 |
+ int min_version, /* I - Minimum TLS version */
|
|
|
1d75c0 |
+ int max_version) /* I - Maximum TLS version */
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
|
|
1d75c0 |
- tls_options = options;
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ tls_options = options;
|
|
|
1d75c0 |
+ tls_min_version = min_version;
|
|
|
1d75c0 |
+ tls_max_version = max_version;
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
@@ -1174,7 +1182,7 @@ _httpTLSStart(http_t *http) /* I - HTTP
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
DEBUG_puts("4_httpTLSStart: Setting defaults.");
|
|
|
1d75c0 |
_cupsSetDefaults();
|
|
|
1d75c0 |
- DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
|
|
|
1d75c0 |
+ DEBUG_printf(("4_httpTLSStart: tls_options=%x, tls_min_version=%d, tls_max_version=%d", tls_options, tls_min_version, tls_max_version));
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
#ifdef HAVE_SECKEYCHAINOPEN
|
|
|
1d75c0 |
@@ -1217,22 +1225,23 @@ _httpTLSStart(http_t *http) /* I - HTTP
|
|
|
1d75c0 |
|
|
|
1d75c0 |
if (!error)
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- SSLProtocol minProtocol;
|
|
|
1d75c0 |
-
|
|
|
1d75c0 |
- if (tls_options & _HTTP_TLS_DENY_TLS10)
|
|
|
1d75c0 |
- minProtocol = kTLSProtocol11;
|
|
|
1d75c0 |
- else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
1d75c0 |
- minProtocol = kSSLProtocol3;
|
|
|
1d75c0 |
- else
|
|
|
1d75c0 |
- minProtocol = kTLSProtocol1;
|
|
|
1d75c0 |
+ static const SSLProtocol protocols[] = /* Min/max protocol versions */
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ kSSLProtocol3,
|
|
|
1d75c0 |
+ kTLSProtocol1,
|
|
|
1d75c0 |
+ kTLSProtocol11,
|
|
|
1d75c0 |
+ kTLSProtocol12,
|
|
|
1d75c0 |
+ kTLSProtocol13,
|
|
|
1d75c0 |
+ kTLSProtocolMaxSupported
|
|
|
1d75c0 |
+ };
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- error = SSLSetProtocolVersionMin(http->tls, minProtocol);
|
|
|
1d75c0 |
- DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
|
|
|
1d75c0 |
+ error = SSLSetProtocolVersionMin(http->tls, protocols[tls_min_version]);
|
|
|
1d75c0 |
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", protocols[tls_min_version], (int)error));
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
|
|
|
1d75c0 |
+ if (!error)
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
|
|
|
1d75c0 |
- DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
|
|
|
1d75c0 |
+ error = SSLSetProtocolVersionMax(http->tls, protocols[tls_max_version]);
|
|
|
1d75c0 |
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(%d), error=%d", protocols[tls_max_version], (int)error));
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
diff -up cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers cups-2.2.6/cups/tls-gnutls.c
|
|
|
1d75c0 |
--- cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/tls-gnutls.c 2018-08-07 11:58:45.164114342 +0200
|
|
|
1d75c0 |
@@ -35,7 +35,9 @@ static char *tls_keypath = NULL;
|
|
|
1d75c0 |
/* Server cert keychain path */
|
|
|
1d75c0 |
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
|
|
1d75c0 |
/* Mutex for keychain/certs */
|
|
|
1d75c0 |
-static int tls_options = -1;/* Options for TLS connections */
|
|
|
1d75c0 |
+static int tls_options = -1,/* Options for TLS connections */
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_0,
|
|
|
1d75c0 |
+ tls_max_version = _HTTP_TLS_MAX;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
/*
|
|
|
1d75c0 |
@@ -1224,10 +1226,16 @@ _httpTLSSetCredentials(http_t *http) /*
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
void
|
|
|
1d75c0 |
-_httpTLSSetOptions(int options) /* I - Options */
|
|
|
1d75c0 |
+_httpTLSSetOptions(int options, /* I - Options */
|
|
|
1d75c0 |
+ int min_version, /* I - Minimum TLS version */
|
|
|
1d75c0 |
+ int max_version) /* I - Maximum TLS version */
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
|
|
1d75c0 |
- tls_options = options;
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ tls_options = options;
|
|
|
1d75c0 |
+ tls_min_version = min_version;
|
|
|
1d75c0 |
+ tls_max_version = max_version;
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
@@ -1245,6 +1253,16 @@ _httpTLSStart(http_t *http) /* I - Conn
|
|
|
1d75c0 |
/* TLS credentials */
|
|
|
1d75c0 |
char priority_string[2048];
|
|
|
1d75c0 |
/* Priority string */
|
|
|
1d75c0 |
+ int version; /* Current version */
|
|
|
1d75c0 |
+ static const char * const versions[] =/* SSL/TLS versions */
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ "VERS-SSL3.0",
|
|
|
1d75c0 |
+ "VERS-TLS1.0",
|
|
|
1d75c0 |
+ "VERS-TLS1.1",
|
|
|
1d75c0 |
+ "VERS-TLS1.2",
|
|
|
1d75c0 |
+ "VERS-TLS1.3",
|
|
|
1d75c0 |
+ "VERS-TLS-ALL"
|
|
|
1d75c0 |
+ };
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
DEBUG_printf(("3_httpTLSStart(http=%p)", http));
|
|
|
1d75c0 |
@@ -1506,14 +1524,40 @@ _httpTLSStart(http_t *http) /* I - Conn
|
|
|
1d75c0 |
|
|
|
1d75c0 |
strlcpy(priority_string, "NORMAL", sizeof(priority_string));
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- if (tls_options & _HTTP_TLS_DENY_TLS10)
|
|
|
1d75c0 |
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
|
|
|
1d75c0 |
- else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
1d75c0 |
+ if (tls_max_version < _HTTP_TLS_MAX)
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ /*
|
|
|
1d75c0 |
+ * Require specific TLS versions...
|
|
|
1d75c0 |
+ */
|
|
|
1d75c0 |
+
|
|
|
1d75c0 |
+ strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
|
|
|
1d75c0 |
+ for (version = tls_min_version; version <= tls_max_version; version ++)
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ strlcat(priority_string, ":+", sizeof(priority_string));
|
|
|
1d75c0 |
+ strlcat(priority_string, versions[version], sizeof(priority_string));
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
+ else if (tls_min_version == _HTTP_TLS_SSL3)
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ /*
|
|
|
1d75c0 |
+ * Allow all versions of TLS and SSL/3.0...
|
|
|
1d75c0 |
+ */
|
|
|
1d75c0 |
+
|
|
|
1d75c0 |
strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
|
|
|
1d75c0 |
- else if (tls_options & _HTTP_TLS_ONLY_TLS10)
|
|
|
1d75c0 |
- strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
else
|
|
|
1d75c0 |
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ /*
|
|
|
1d75c0 |
+ * Require a minimum version...
|
|
|
1d75c0 |
+ */
|
|
|
1d75c0 |
+
|
|
|
1d75c0 |
+ strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
|
|
|
1d75c0 |
+ for (version = 0; version < tls_min_version; version ++)
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ strlcat(priority_string, ":-", sizeof(priority_string));
|
|
|
1d75c0 |
+ strlcat(priority_string, versions[version], sizeof(priority_string));
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
|
|
|
1d75c0 |
if (tls_options & _HTTP_TLS_ALLOW_RC4)
|
|
|
1d75c0 |
strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
|
|
|
1d75c0 |
diff -up cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers cups-2.2.6/cups/tls-sspi.c
|
|
|
1d75c0 |
--- cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/tls-sspi.c 2018-08-07 11:53:54.986633951 +0200
|
|
|
1d75c0 |
@@ -52,7 +52,9 @@
|
|
|
1d75c0 |
* Local globals...
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
-static int tls_options = -1;/* Options for TLS connections */
|
|
|
1d75c0 |
+static int tls_options = -1,/* Options for TLS connections */
|
|
|
1d75c0 |
+ tls_min_version = _HTTP_TLS_1_0,
|
|
|
1d75c0 |
+ tls_max_version = _HTTP_TLS_MAX;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
/*
|
|
|
1d75c0 |
@@ -914,7 +916,11 @@ void
|
|
|
1d75c0 |
_httpTLSSetOptions(int options) /* I - Options */
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
|
|
1d75c0 |
- tls_options = options;
|
|
|
1d75c0 |
+ {
|
|
|
1d75c0 |
+ tls_options = options;
|
|
|
1d75c0 |
+ tls_min_version = min_version;
|
|
|
1d75c0 |
+ tls_max_version = max_version;
|
|
|
1d75c0 |
+ }
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
|
|
|
1d75c0 |
@@ -1782,14 +1788,14 @@ http_sspi_find_credentials(
|
|
|
1d75c0 |
#else
|
|
|
1d75c0 |
if (http->mode == _HTTP_MODE_SERVER)
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
1d75c0 |
+ if (tls_min_version == _HTTP_TLS_SSL3)
|
|
|
1d75c0 |
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
|
|
|
1d75c0 |
else
|
|
|
1d75c0 |
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
else
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
- if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
1d75c0 |
+ if (tls_min_version == _HTTP_TLS_SSL3)
|
|
|
1d75c0 |
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
|
|
|
1d75c0 |
else
|
|
|
1d75c0 |
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
|
|
|
1d75c0 |
diff -up cups-2.2.6/cups/usersys.c.remove-weak-ciphers cups-2.2.6/cups/usersys.c
|
|
|
1d75c0 |
--- cups-2.2.6/cups/usersys.c.remove-weak-ciphers 2018-08-07 11:53:54.945634283 +0200
|
|
|
1d75c0 |
+++ cups-2.2.6/cups/usersys.c 2018-08-07 11:53:54.987633942 +0200
|
|
|
1d75c0 |
@@ -54,7 +54,9 @@
|
|
|
1d75c0 |
typedef struct _cups_client_conf_s /**** client.conf config data ****/
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
#ifdef HAVE_SSL
|
|
|
1d75c0 |
- int ssl_options; /* SSLOptions values */
|
|
|
1d75c0 |
+ int ssl_options, /* SSLOptions values */
|
|
|
1d75c0 |
+ ssl_min_version,/* Minimum SSL/TLS version */
|
|
|
1d75c0 |
+ ssl_max_version;/* Maximum SSL/TLS version */
|
|
|
1d75c0 |
#endif /* HAVE_SSL */
|
|
|
1d75c0 |
int trust_first, /* Trust on first use? */
|
|
|
1d75c0 |
any_root, /* Allow any (e.g., self-signed) root */
|
|
|
1d75c0 |
@@ -957,7 +959,7 @@ _cupsSetDefaults(void)
|
|
|
1d75c0 |
cg->validate_certs = cc.validate_certs;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
#ifdef HAVE_SSL
|
|
|
1d75c0 |
- _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
|
|
|
1d75c0 |
+ _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
|
|
|
1d75c0 |
#endif /* HAVE_SSL */
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
@@ -1336,7 +1338,9 @@ cups_set_ssl_options(
|
|
|
1d75c0 |
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- int options = _HTTP_TLS_NONE; /* SSL/TLS options */
|
|
|
1d75c0 |
+ int options = _HTTP_TLS_NONE, /* SSL/TLS options */
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_0, /* Minimum SSL/TLS version */
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_MAX; /* Maximum SSL/TLS version */
|
|
|
1d75c0 |
char temp[256], /* Copy of value */
|
|
|
1d75c0 |
*start, /* Start of option */
|
|
|
1d75c0 |
*end; /* End of option */
|
|
|
1d75c0 |
@@ -1364,20 +1368,38 @@ cups_set_ssl_options(
|
|
|
1d75c0 |
if (!_cups_strcasecmp(start, "AllowRC4"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_ALLOW_RC4;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
|
|
1d75c0 |
- options |= _HTTP_TLS_ALLOW_SSL3;
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_SSL3;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "AllowDH"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_ALLOW_DH;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "DenyCBC"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_DENY_CBC;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
|
|
|
1d75c0 |
- options |= _HTTP_TLS_DENY_TLS10;
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_2;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_3;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_2;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_3;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "None"))
|
|
|
1d75c0 |
options = _HTTP_TLS_NONE;
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- cc->ssl_options = options;
|
|
|
1d75c0 |
+ cc->ssl_options = options;
|
|
|
1d75c0 |
+ cc->ssl_max_version = max_version;
|
|
|
1d75c0 |
+ cc->ssl_min_version = min_version;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
|
|
|
1d75c0 |
+ DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
#endif /* HAVE_SSL */
|
|
|
1d75c0 |
|
|
|
1d75c0 |
diff -up cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers cups-2.2.6/man/client.conf.man.in
|
|
|
1d75c0 |
--- cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
|
|
1d75c0 |
+++ cups-2.2.6/man/client.conf.man.in 2018-08-07 11:53:54.987633942 +0200
|
|
|
1d75c0 |
@@ -10,7 +10,7 @@
|
|
|
1d75c0 |
.\" which should have been included with this file. If this file is
|
|
|
1d75c0 |
.\" file is missing or damaged, see the license at "http://www.cups.org/".
|
|
|
1d75c0 |
.\"
|
|
|
1d75c0 |
-.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
|
|
|
1d75c0 |
+.TH client.conf 5 "CUPS" "3 November 2017" "Apple Inc."
|
|
|
1d75c0 |
.SH NAME
|
|
|
1d75c0 |
client.conf \- client configuration file for cups
|
|
|
1d75c0 |
.SH DESCRIPTION
|
|
|
1d75c0 |
@@ -56,7 +56,7 @@ Specifies the address and optionally the
|
|
|
1d75c0 |
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
|
|
|
1d75c0 |
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
|
|
|
1d75c0 |
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
\fBSSLOptions None\fR
|
|
|
1d75c0 |
Sets encryption options (only in /etc/cups/client.conf).
|
|
|
1d75c0 |
@@ -68,6 +68,9 @@ The \fIAllowRC4\fR option enables the 12
|
|
|
1d75c0 |
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
|
|
1d75c0 |
The \fIDenyCBC\fR option disables all CBC cipher suites.
|
|
|
1d75c0 |
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
|
|
|
1d75c0 |
+The \fMinTLS\fR options set the minimum TLS version to support.
|
|
|
1d75c0 |
+The \fMaxTLS\fR options set the maximum TLS version to support.
|
|
|
1d75c0 |
+Not all operating systems support TLS 1.3 at this time.
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
\fBTrustOnFirstUse Yes\fR
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
diff -up cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers cups-2.2.6/man/cupsd.conf.man.in
|
|
|
1d75c0 |
--- cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers 2018-08-07 11:53:54.981633991 +0200
|
|
|
1d75c0 |
+++ cups-2.2.6/man/cupsd.conf.man.in 2018-08-07 11:53:54.987633942 +0200
|
|
|
1d75c0 |
@@ -432,10 +432,11 @@ The default is "Minimal".
|
|
|
1d75c0 |
Listens on the specified address and port for encrypted connections.
|
|
|
1d75c0 |
.\"#SSLOptions
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
|
|
|
1d75c0 |
+.TP 5
|
|
|
1d75c0 |
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
\fBSSLOptions None\fR
|
|
|
1d75c0 |
-Sets encryption options.
|
|
|
1d75c0 |
+Sets encryption options (only in /etc/cups/client.conf).
|
|
|
1d75c0 |
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
|
|
1d75c0 |
Security is reduced when \fIAllow\fR options are used.
|
|
|
1d75c0 |
Security is enhanced when \fIDeny\fR options are used.
|
|
|
1d75c0 |
@@ -444,6 +445,9 @@ The \fIAllowRC4\fR option enables the 12
|
|
|
1d75c0 |
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
|
|
1d75c0 |
The \fIDenyCBC\fR option disables all CBC cipher suites.
|
|
|
1d75c0 |
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
|
|
|
1d75c0 |
+The \fMinTLS\fR options set the minimum TLS version to support.
|
|
|
1d75c0 |
+The \fMaxTLS\fR options set the maximum TLS version to support.
|
|
|
1d75c0 |
+Not all operating systems support TLS 1.3 at this time.
|
|
|
1d75c0 |
.\"#SSLPort
|
|
|
1d75c0 |
.TP 5
|
|
|
1d75c0 |
\fBSSLPort \fIport\fR
|
|
|
1d75c0 |
diff -up cups-2.2.6/scheduler/conf.c.remove-weak-ciphers cups-2.2.6/scheduler/conf.c
|
|
|
1d75c0 |
--- cups-2.2.6/scheduler/conf.c.remove-weak-ciphers 2018-08-07 11:53:54.981633991 +0200
|
|
|
1d75c0 |
+++ cups-2.2.6/scheduler/conf.c 2018-08-07 11:53:54.988633934 +0200
|
|
|
1d75c0 |
@@ -630,7 +630,7 @@ cupsdReadConfiguration(void)
|
|
|
1d75c0 |
cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain");
|
|
|
1d75c0 |
# endif /* HAVE_GNUTLS */
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- _httpTLSSetOptions(0);
|
|
|
1d75c0 |
+ _httpTLSSetOptions(_HTTP_TLS_NONE, _HTTP_TLS_1_0, _HTTP_TLS_MAX);
|
|
|
1d75c0 |
#endif /* HAVE_SSL */
|
|
|
1d75c0 |
|
|
|
1d75c0 |
language = cupsLangDefault();
|
|
|
1d75c0 |
@@ -3024,7 +3024,9 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
|
|
1d75c0 |
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None]
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- int options = 0; /* SSL/TLS options */
|
|
|
1d75c0 |
+ int options = _HTTP_TLS_NONE,/* SSL/TLS options */
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_0,
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_MAX;
|
|
|
1d75c0 |
|
|
|
1d75c0 |
if (value)
|
|
|
1d75c0 |
{
|
|
|
1d75c0 |
@@ -3048,24 +3050,40 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
|
|
1d75c0 |
* Compare...
|
|
|
1d75c0 |
*/
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- if (!_cups_strcasecmp(start, "AllowRC4"))
|
|
|
1d75c0 |
+ if (!_cups_strcasecmp(start, "AllowRC4"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_ALLOW_RC4;
|
|
|
1d75c0 |
- else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
|
|
1d75c0 |
- options |= _HTTP_TLS_ALLOW_SSL3;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_SSL3;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "AllowDH"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_ALLOW_DH;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "DenyCBC"))
|
|
|
1d75c0 |
options |= _HTTP_TLS_DENY_CBC;
|
|
|
1d75c0 |
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
|
|
|
1d75c0 |
- options |= _HTTP_TLS_DENY_TLS10;
|
|
|
1d75c0 |
- else if (!_cups_strcasecmp(start, "None"))
|
|
|
1d75c0 |
- options = 0;
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_2;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
|
|
|
1d75c0 |
+ max_version = _HTTP_TLS_1_3;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_0;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_1;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_2;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
|
|
|
1d75c0 |
+ min_version = _HTTP_TLS_1_3;
|
|
|
1d75c0 |
+ else if (!_cups_strcasecmp(start, "None"))
|
|
|
1d75c0 |
+ options = _HTTP_TLS_NONE;
|
|
|
1d75c0 |
else if (_cups_strcasecmp(start, "NoEmptyFragments"))
|
|
|
1d75c0 |
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
|
|
|
1d75c0 |
- _httpTLSSetOptions(options);
|
|
|
1d75c0 |
+ _httpTLSSetOptions(options, min_version, max_version);
|
|
|
1d75c0 |
}
|
|
|
1d75c0 |
#endif /* HAVE_SSL */
|
|
|
1d75c0 |
else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
|