Blame SOURCES/0001-Add-support-for-MinTLS-and-MaxTLS-options-Issue-5119.patch

1d75c0
diff -up cups-2.2.6/cups/http-private.h.remove-weak-ciphers cups-2.2.6/cups/http-private.h
1d75c0
--- cups-2.2.6/cups/http-private.h.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/cups/http-private.h	2018-08-07 11:53:54.985633959 +0200
1d75c0
@@ -180,13 +180,17 @@ extern "C" {
1d75c0
 
1d75c0
 #  define _HTTP_TLS_NONE	0	/* No TLS options */
1d75c0
 #  define _HTTP_TLS_ALLOW_RC4	1	/* Allow RC4 cipher suites */
1d75c0
-#  define _HTTP_TLS_ALLOW_SSL3	2	/* Allow SSL 3.0 */
1d75c0
-#  define _HTTP_TLS_ALLOW_DH	4	/* Allow DH/DHE key negotiation */
1d75c0
-#  define _HTTP_TLS_DENY_TLS10	16	/* Deny TLS 1.0 */
1d75c0
-#  define _HTTP_TLS_DENY_CBC	32	/* Deny CBC cipher suites */
1d75c0
-#  define _HTTP_TLS_ONLY_TLS10  64      /* Only use TLS 1.0 */
1d75c0
+#  define _HTTP_TLS_ALLOW_DH	2	/* Allow DH/DHE key negotiation */
1d75c0
+#  define _HTTP_TLS_DENY_CBC	4	/* Deny CBC cipher suites */
1d75c0
 #  define _HTTP_TLS_SET_DEFAULT 128     /* Setting the default TLS options */
1d75c0
 
1d75c0
+#  define _HTTP_TLS_SSL3	0	/* Min/max version is SSL/3.0 */
1d75c0
+#  define _HTTP_TLS_1_0		1	/* Min/max version is TLS/1.0 */
1d75c0
+#  define _HTTP_TLS_1_1		2	/* Min/max version is TLS/1.1 */
1d75c0
+#  define _HTTP_TLS_1_2		3	/* Min/max version is TLS/1.2 */
1d75c0
+#  define _HTTP_TLS_1_3		4	/* Min/max version is TLS/1.3 */
1d75c0
+#  define _HTTP_TLS_MAX		5	/* Highest known TLS version */
1d75c0
+
1d75c0
 
1d75c0
 /*
1d75c0
  * Types and functions for SSL support...
1d75c0
@@ -442,7 +446,7 @@ extern void		_httpTLSInitialize(void);
1d75c0
 extern size_t		_httpTLSPending(http_t *http);
1d75c0
 extern int		_httpTLSRead(http_t *http, char *buf, int len);
1d75c0
 extern int		_httpTLSSetCredentials(http_t *http);
1d75c0
-extern void		_httpTLSSetOptions(int options);
1d75c0
+extern void		_httpTLSSetOptions(int options, int min_version, int max_version);
1d75c0
 extern int		_httpTLSStart(http_t *http);
1d75c0
 extern void		_httpTLSStop(http_t *http);
1d75c0
 extern int		_httpTLSWrite(http_t *http, const char *buf, int len);
1d75c0
diff -up cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers cups-2.2.6/cups/tlscheck.c
1d75c0
--- cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/cups/tlscheck.c	2018-08-07 11:53:54.987633942 +0200
1d75c0
@@ -54,6 +54,8 @@ main(int  argc,				/* I - Number of comm
1d75c0
   int		af = AF_UNSPEC,		/* Address family */
1d75c0
 		tls_options = _HTTP_TLS_NONE,
1d75c0
 					/* TLS options */
1d75c0
+		tls_min_version = _HTTP_TLS_1_0,
1d75c0
+		tls_max_version = _HTTP_TLS_MAX,
1d75c0
 		verbose = 0;		/* Verbosity */
1d75c0
   ipp_t		*request,		/* IPP Get-Printer-Attributes request */
1d75c0
 		*response;		/* IPP Get-Printer-Attributes response */
1d75c0
@@ -88,11 +90,12 @@ main(int  argc,				/* I - Number of comm
1d75c0
     }
1d75c0
     else if (!strcmp(argv[i], "--no-tls10"))
1d75c0
     {
1d75c0
-      tls_options |= _HTTP_TLS_DENY_TLS10;
1d75c0
+      tls_min_version = _HTTP_TLS_1_1;
1d75c0
     }
1d75c0
     else if (!strcmp(argv[i], "--tls10"))
1d75c0
     {
1d75c0
-      tls_options |= _HTTP_TLS_ONLY_TLS10;
1d75c0
+      tls_min_version = _HTTP_TLS_1_0;
1d75c0
+      tls_max_version = _HTTP_TLS_1_0;
1d75c0
     }
1d75c0
     else if (!strcmp(argv[i], "--rc4"))
1d75c0
     {
1d75c0
@@ -148,7 +151,7 @@ main(int  argc,				/* I - Number of comm
1d75c0
   if (!port)
1d75c0
     port = 631;
1d75c0
 
1d75c0
-  _httpTLSSetOptions(tls_options);
1d75c0
+  _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
1d75c0
 
1d75c0
   http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
1d75c0
   if (!http)
1d75c0
diff -up cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers cups-2.2.6/cups/tls-darwin.c
1d75c0
--- cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/cups/tls-darwin.c	2018-08-07 11:53:54.986633951 +0200
1d75c0
@@ -53,7 +53,9 @@ static char		*tls_keypath = NULL;
1d75c0
 					/* Server cert keychain path */
1d75c0
 static _cups_mutex_t	tls_mutex = _CUPS_MUTEX_INITIALIZER;
1d75c0
 					/* Mutex for keychain/certs */
1d75c0
-static int		tls_options = -1;/* Options for TLS connections */
1d75c0
+static int		tls_options = -1,/* Options for TLS connections */
1d75c0
+			tls_min_version = _HTTP_TLS_1_0,
1d75c0
+			tls_max_version = _HTTP_TLS_MAX;
1d75c0
 
1d75c0
 
1d75c0
 /*
1d75c0
@@ -1139,10 +1141,16 @@ _httpTLSRead(http_t *http,		/* I - HTTP
1d75c0
  */
1d75c0
 
1d75c0
 void
1d75c0
-_httpTLSSetOptions(int options)		/* I - Options */
1d75c0
+_httpTLSSetOptions(int options,		/* I - Options */
1d75c0
+                   int min_version,	/* I - Minimum TLS version */
1d75c0
+                   int max_version)	/* I - Maximum TLS version */
1d75c0
 {
1d75c0
   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
1d75c0
-    tls_options = options;
1d75c0
+  {
1d75c0
+    tls_options     = options;
1d75c0
+    tls_min_version = min_version;
1d75c0
+    tls_max_version = max_version;
1d75c0
+  }
1d75c0
 }
1d75c0
 
1d75c0
 
1d75c0
@@ -1174,7 +1182,7 @@ _httpTLSStart(http_t *http)		/* I - HTTP
1d75c0
   {
1d75c0
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
1d75c0
     _cupsSetDefaults();
1d75c0
-    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
1d75c0
+    DEBUG_printf(("4_httpTLSStart: tls_options=%x, tls_min_version=%d, tls_max_version=%d", tls_options, tls_min_version, tls_max_version));
1d75c0
   }
1d75c0
 
1d75c0
 #ifdef HAVE_SECKEYCHAINOPEN
1d75c0
@@ -1217,22 +1225,23 @@ _httpTLSStart(http_t *http)		/* I - HTTP
1d75c0
 
1d75c0
   if (!error)
1d75c0
   {
1d75c0
-    SSLProtocol minProtocol;
1d75c0
-
1d75c0
-    if (tls_options & _HTTP_TLS_DENY_TLS10)
1d75c0
-      minProtocol = kTLSProtocol11;
1d75c0
-    else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1d75c0
-      minProtocol = kSSLProtocol3;
1d75c0
-    else
1d75c0
-      minProtocol = kTLSProtocol1;
1d75c0
+    static const SSLProtocol protocols[] =	/* Min/max protocol versions */
1d75c0
+    {
1d75c0
+      kSSLProtocol3,
1d75c0
+      kTLSProtocol1,
1d75c0
+      kTLSProtocol11,
1d75c0
+      kTLSProtocol12,
1d75c0
+      kTLSProtocol13,
1d75c0
+      kTLSProtocolMaxSupported
1d75c0
+    };
1d75c0
 
1d75c0
-    error = SSLSetProtocolVersionMin(http->tls, minProtocol);
1d75c0
-    DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
1d75c0
+    error = SSLSetProtocolVersionMin(http->tls, protocols[tls_min_version]);
1d75c0
+    DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", protocols[tls_min_version], (int)error));
1d75c0
 
1d75c0
-    if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
1d75c0
+    if (!error)
1d75c0
     {
1d75c0
-      error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
1d75c0
-      DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
1d75c0
+      error = SSLSetProtocolVersionMax(http->tls, protocols[tls_max_version]);
1d75c0
+      DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(%d), error=%d", protocols[tls_max_version], (int)error));
1d75c0
     }
1d75c0
   }
1d75c0
 
1d75c0
diff -up cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers cups-2.2.6/cups/tls-gnutls.c
1d75c0
--- cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/cups/tls-gnutls.c	2018-08-07 11:58:45.164114342 +0200
1d75c0
@@ -35,7 +35,9 @@ static char		*tls_keypath = NULL;
1d75c0
 					/* Server cert keychain path */
1d75c0
 static _cups_mutex_t	tls_mutex = _CUPS_MUTEX_INITIALIZER;
1d75c0
 					/* Mutex for keychain/certs */
1d75c0
-static int		tls_options = -1;/* Options for TLS connections */
1d75c0
+static int		tls_options = -1,/* Options for TLS connections */
1d75c0
+			tls_min_version = _HTTP_TLS_1_0,
1d75c0
+			tls_max_version = _HTTP_TLS_MAX;
1d75c0
 
1d75c0
 
1d75c0
 /*
1d75c0
@@ -1224,10 +1226,16 @@ _httpTLSSetCredentials(http_t *http)	/*
1d75c0
  */
1d75c0
 
1d75c0
 void
1d75c0
-_httpTLSSetOptions(int options)		/* I - Options */
1d75c0
+_httpTLSSetOptions(int options, 		/* I - Options */
1d75c0
+                   int min_version,             /* I - Minimum TLS version */
1d75c0
+                   int max_version)             /* I - Maximum TLS version */
1d75c0
 {
1d75c0
   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
1d75c0
-    tls_options = options;
1d75c0
+  {
1d75c0
+    tls_options     = options;
1d75c0
+    tls_min_version = min_version;
1d75c0
+    tls_max_version = max_version;
1d75c0
+  }
1d75c0
 }
1d75c0
 
1d75c0
 
1d75c0
@@ -1245,6 +1253,16 @@ _httpTLSStart(http_t *http)		/* I - Conn
1d75c0
 					/* TLS credentials */
1d75c0
   char			priority_string[2048];
1d75c0
 					/* Priority string */
1d75c0
+  int			version;	/* Current version */
1d75c0
+  static const char * const versions[] =/* SSL/TLS versions */
1d75c0
+  {
1d75c0
+    "VERS-SSL3.0",
1d75c0
+    "VERS-TLS1.0",
1d75c0
+    "VERS-TLS1.1",
1d75c0
+    "VERS-TLS1.2",
1d75c0
+    "VERS-TLS1.3",
1d75c0
+    "VERS-TLS-ALL"
1d75c0
+  };
1d75c0
 
1d75c0
 
1d75c0
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
1d75c0
@@ -1506,14 +1524,40 @@ _httpTLSStart(http_t *http)		/* I - Conn
1d75c0
 
1d75c0
   strlcpy(priority_string, "NORMAL", sizeof(priority_string));
1d75c0
 
1d75c0
-  if (tls_options & _HTTP_TLS_DENY_TLS10)
1d75c0
-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
1d75c0
-  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1d75c0
+  if (tls_max_version < _HTTP_TLS_MAX)
1d75c0
+  {
1d75c0
+   /*
1d75c0
+    * Require specific TLS versions...
1d75c0
+    */
1d75c0
+
1d75c0
+    strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
1d75c0
+    for (version = tls_min_version; version <= tls_max_version; version ++)
1d75c0
+    {
1d75c0
+      strlcat(priority_string, ":+", sizeof(priority_string));
1d75c0
+      strlcat(priority_string, versions[version], sizeof(priority_string));
1d75c0
+    }
1d75c0
+  }
1d75c0
+  else if (tls_min_version == _HTTP_TLS_SSL3)
1d75c0
+  {
1d75c0
+   /*
1d75c0
+    * Allow all versions of TLS and SSL/3.0...
1d75c0
+    */
1d75c0
+
1d75c0
     strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
1d75c0
-  else if (tls_options & _HTTP_TLS_ONLY_TLS10)
1d75c0
-    strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
1d75c0
+  }
1d75c0
   else
1d75c0
-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
1d75c0
+  {
1d75c0
+   /*
1d75c0
+    * Require a minimum version...
1d75c0
+    */
1d75c0
+
1d75c0
+    strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
1d75c0
+    for (version = 0; version < tls_min_version; version ++)
1d75c0
+    {
1d75c0
+      strlcat(priority_string, ":-", sizeof(priority_string));
1d75c0
+      strlcat(priority_string, versions[version], sizeof(priority_string));
1d75c0
+    }
1d75c0
+  }
1d75c0
 
1d75c0
   if (tls_options & _HTTP_TLS_ALLOW_RC4)
1d75c0
     strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
1d75c0
diff -up cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers cups-2.2.6/cups/tls-sspi.c
1d75c0
--- cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/cups/tls-sspi.c	2018-08-07 11:53:54.986633951 +0200
1d75c0
@@ -52,7 +52,9 @@
1d75c0
  * Local globals...
1d75c0
  */
1d75c0
 
1d75c0
-static int		tls_options = -1;/* Options for TLS connections */
1d75c0
+static int		tls_options = -1,/* Options for TLS connections */
1d75c0
+			tls_min_version = _HTTP_TLS_1_0,
1d75c0
+			tls_max_version = _HTTP_TLS_MAX;
1d75c0
 
1d75c0
 
1d75c0
 /*
1d75c0
@@ -914,7 +916,11 @@ void
1d75c0
 _httpTLSSetOptions(int options)		/* I - Options */
1d75c0
 {
1d75c0
   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
1d75c0
-    tls_options = options;
1d75c0
+  {
1d75c0
+    tls_options     = options;
1d75c0
+    tls_min_version = min_version;
1d75c0
+    tls_max_version = max_version;
1d75c0
+  }
1d75c0
 }
1d75c0
 
1d75c0
 
1d75c0
@@ -1782,14 +1788,14 @@ http_sspi_find_credentials(
1d75c0
 #else
1d75c0
   if (http->mode == _HTTP_MODE_SERVER)
1d75c0
   {
1d75c0
-    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1d75c0
+    if (tls_min_version == _HTTP_TLS_SSL3)
1d75c0
       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
1d75c0
     else
1d75c0
       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
1d75c0
   }
1d75c0
   else
1d75c0
   {
1d75c0
-    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1d75c0
+    if (tls_min_version == _HTTP_TLS_SSL3)
1d75c0
       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
1d75c0
     else
1d75c0
       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
1d75c0
diff -up cups-2.2.6/cups/usersys.c.remove-weak-ciphers cups-2.2.6/cups/usersys.c
1d75c0
--- cups-2.2.6/cups/usersys.c.remove-weak-ciphers	2018-08-07 11:53:54.945634283 +0200
1d75c0
+++ cups-2.2.6/cups/usersys.c	2018-08-07 11:53:54.987633942 +0200
1d75c0
@@ -54,7 +54,9 @@
1d75c0
 typedef struct _cups_client_conf_s	/**** client.conf config data ****/
1d75c0
 {
1d75c0
 #ifdef HAVE_SSL
1d75c0
-  int			ssl_options;	/* SSLOptions values */
1d75c0
+  int			ssl_options,	/* SSLOptions values */
1d75c0
+			ssl_min_version,/* Minimum SSL/TLS version */
1d75c0
+			ssl_max_version;/* Maximum SSL/TLS version */
1d75c0
 #endif /* HAVE_SSL */
1d75c0
   int			trust_first,	/* Trust on first use? */
1d75c0
 			any_root,	/* Allow any (e.g., self-signed) root */
1d75c0
@@ -957,7 +959,7 @@ _cupsSetDefaults(void)
1d75c0
     cg->validate_certs = cc.validate_certs;
1d75c0
 
1d75c0
 #ifdef HAVE_SSL
1d75c0
-  _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
1d75c0
+  _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
1d75c0
 #endif /* HAVE_SSL */
1d75c0
 }
1d75c0
 
1d75c0
@@ -1336,7 +1338,9 @@ cups_set_ssl_options(
1d75c0
   * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
1d75c0
   */
1d75c0
 
1d75c0
-  int	options = _HTTP_TLS_NONE;	/* SSL/TLS options */
1d75c0
+  int	options = _HTTP_TLS_NONE,	/* SSL/TLS options */
1d75c0
+	min_version = _HTTP_TLS_1_0,	/* Minimum SSL/TLS version */
1d75c0
+	max_version = _HTTP_TLS_MAX;	/* Maximum SSL/TLS version */
1d75c0
   char	temp[256],			/* Copy of value */
1d75c0
 	*start,				/* Start of option */
1d75c0
 	*end;				/* End of option */
1d75c0
@@ -1364,20 +1368,38 @@ cups_set_ssl_options(
1d75c0
     if (!_cups_strcasecmp(start, "AllowRC4"))
1d75c0
       options |= _HTTP_TLS_ALLOW_RC4;
1d75c0
     else if (!_cups_strcasecmp(start, "AllowSSL3"))
1d75c0
-      options |= _HTTP_TLS_ALLOW_SSL3;
1d75c0
+      min_version = _HTTP_TLS_SSL3;
1d75c0
     else if (!_cups_strcasecmp(start, "AllowDH"))
1d75c0
       options |= _HTTP_TLS_ALLOW_DH;
1d75c0
     else if (!_cups_strcasecmp(start, "DenyCBC"))
1d75c0
       options |= _HTTP_TLS_DENY_CBC;
1d75c0
     else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
1d75c0
-      options |= _HTTP_TLS_DENY_TLS10;
1d75c0
+      min_version = _HTTP_TLS_1_1;
1d75c0
+    else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
1d75c0
+      max_version = _HTTP_TLS_1_0;
1d75c0
+    else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
1d75c0
+      max_version = _HTTP_TLS_1_1;
1d75c0
+    else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
1d75c0
+      max_version = _HTTP_TLS_1_2;
1d75c0
+    else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
1d75c0
+      max_version = _HTTP_TLS_1_3;
1d75c0
+    else if (!_cups_strcasecmp(start, "MinTLS1.0"))
1d75c0
+      min_version = _HTTP_TLS_1_0;
1d75c0
+    else if (!_cups_strcasecmp(start, "MinTLS1.1"))
1d75c0
+      min_version = _HTTP_TLS_1_1;
1d75c0
+    else if (!_cups_strcasecmp(start, "MinTLS1.2"))
1d75c0
+      min_version = _HTTP_TLS_1_2;
1d75c0
+    else if (!_cups_strcasecmp(start, "MinTLS1.3"))
1d75c0
+      min_version = _HTTP_TLS_1_3;
1d75c0
     else if (!_cups_strcasecmp(start, "None"))
1d75c0
       options = _HTTP_TLS_NONE;
1d75c0
   }
1d75c0
 
1d75c0
-  cc->ssl_options = options;
1d75c0
+  cc->ssl_options     = options;
1d75c0
+  cc->ssl_max_version = max_version;
1d75c0
+  cc->ssl_min_version = min_version;
1d75c0
 
1d75c0
-  DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
1d75c0
+  DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
1d75c0
 }
1d75c0
 #endif /* HAVE_SSL */
1d75c0
 
1d75c0
diff -up cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers cups-2.2.6/man/client.conf.man.in
1d75c0
--- cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
1d75c0
+++ cups-2.2.6/man/client.conf.man.in	2018-08-07 11:53:54.987633942 +0200
1d75c0
@@ -10,7 +10,7 @@
1d75c0
 .\" which should have been included with this file.  If this file is
1d75c0
 .\" file is missing or damaged, see the license at "http://www.cups.org/".
1d75c0
 .\"
1d75c0
-.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
1d75c0
+.TH client.conf 5 "CUPS" "3 November 2017" "Apple Inc."
1d75c0
 .SH NAME
1d75c0
 client.conf \- client configuration file for cups
1d75c0
 .SH DESCRIPTION
1d75c0
@@ -56,7 +56,7 @@ Specifies the address and optionally the
1d75c0
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
1d75c0
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
1d75c0
 .TP 5
1d75c0
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
1d75c0
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
1d75c0
 .TP 5
1d75c0
 \fBSSLOptions None\fR
1d75c0
 Sets encryption options (only in /etc/cups/client.conf).
1d75c0
@@ -68,6 +68,9 @@ The \fIAllowRC4\fR option enables the 12
1d75c0
 The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
1d75c0
 The \fIDenyCBC\fR option disables all CBC cipher suites.
1d75c0
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
1d75c0
+The \fMinTLS\fR options set the minimum TLS version to support.
1d75c0
+The \fMaxTLS\fR options set the maximum TLS version to support.
1d75c0
+Not all operating systems support TLS 1.3 at this time.
1d75c0
 .TP 5
1d75c0
 \fBTrustOnFirstUse Yes\fR
1d75c0
 .TP 5
1d75c0
diff -up cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers cups-2.2.6/man/cupsd.conf.man.in
1d75c0
--- cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers	2018-08-07 11:53:54.981633991 +0200
1d75c0
+++ cups-2.2.6/man/cupsd.conf.man.in	2018-08-07 11:53:54.987633942 +0200
1d75c0
@@ -432,10 +432,11 @@ The default is "Minimal".
1d75c0
 Listens on the specified address and port for encrypted connections.
1d75c0
 .\"#SSLOptions
1d75c0
 .TP 5
1d75c0
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
1d75c0
+.TP 5
1d75c0
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
1d75c0
 .TP 5
1d75c0
 \fBSSLOptions None\fR
1d75c0
-Sets encryption options.
1d75c0
+Sets encryption options (only in /etc/cups/client.conf).
1d75c0
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
1d75c0
 Security is reduced when \fIAllow\fR options are used.
1d75c0
 Security is enhanced when \fIDeny\fR options are used.
1d75c0
@@ -444,6 +445,9 @@ The \fIAllowRC4\fR option enables the 12
1d75c0
 The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
1d75c0
 The \fIDenyCBC\fR option disables all CBC cipher suites.
1d75c0
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
1d75c0
+The \fMinTLS\fR options set the minimum TLS version to support.
1d75c0
+The \fMaxTLS\fR options set the maximum TLS version to support.
1d75c0
+Not all operating systems support TLS 1.3 at this time.
1d75c0
 .\"#SSLPort
1d75c0
 .TP 5
1d75c0
 \fBSSLPort \fIport\fR
1d75c0
diff -up cups-2.2.6/scheduler/conf.c.remove-weak-ciphers cups-2.2.6/scheduler/conf.c
1d75c0
--- cups-2.2.6/scheduler/conf.c.remove-weak-ciphers	2018-08-07 11:53:54.981633991 +0200
1d75c0
+++ cups-2.2.6/scheduler/conf.c	2018-08-07 11:53:54.988633934 +0200
1d75c0
@@ -630,7 +630,7 @@ cupsdReadConfiguration(void)
1d75c0
   cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain");
1d75c0
 #  endif /* HAVE_GNUTLS */
1d75c0
 
1d75c0
-  _httpTLSSetOptions(0);
1d75c0
+  _httpTLSSetOptions(_HTTP_TLS_NONE, _HTTP_TLS_1_0, _HTTP_TLS_MAX);
1d75c0
 #endif /* HAVE_SSL */
1d75c0
 
1d75c0
   language = cupsLangDefault();
1d75c0
@@ -3024,7 +3024,9 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
1d75c0
       * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None]
1d75c0
       */
1d75c0
 
1d75c0
-      int	options = 0;		/* SSL/TLS options */
1d75c0
+      int	options = _HTTP_TLS_NONE,/* SSL/TLS options */
1d75c0
+		min_version = _HTTP_TLS_1_0,
1d75c0
+		max_version = _HTTP_TLS_MAX;
1d75c0
 
1d75c0
       if (value)
1d75c0
       {
1d75c0
@@ -3048,24 +3050,40 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
1d75c0
 	  * Compare...
1d75c0
 	  */
1d75c0
 
1d75c0
-          if (!_cups_strcasecmp(start, "AllowRC4"))
1d75c0
+	  if (!_cups_strcasecmp(start, "AllowRC4"))
1d75c0
 	    options |= _HTTP_TLS_ALLOW_RC4;
1d75c0
-          else if (!_cups_strcasecmp(start, "AllowSSL3"))
1d75c0
-	    options |= _HTTP_TLS_ALLOW_SSL3;
1d75c0
+	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
1d75c0
+	    min_version = _HTTP_TLS_SSL3;
1d75c0
 	  else if (!_cups_strcasecmp(start, "AllowDH"))
1d75c0
 	    options |= _HTTP_TLS_ALLOW_DH;
1d75c0
 	  else if (!_cups_strcasecmp(start, "DenyCBC"))
1d75c0
 	    options |= _HTTP_TLS_DENY_CBC;
1d75c0
 	  else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
1d75c0
-	    options |= _HTTP_TLS_DENY_TLS10;
1d75c0
-          else if (!_cups_strcasecmp(start, "None"))
1d75c0
-	    options = 0;
1d75c0
+	    min_version = _HTTP_TLS_1_1;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
1d75c0
+	    max_version = _HTTP_TLS_1_0;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
1d75c0
+	    max_version = _HTTP_TLS_1_1;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
1d75c0
+	    max_version = _HTTP_TLS_1_2;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
1d75c0
+	    max_version = _HTTP_TLS_1_3;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MinTLS1.0"))
1d75c0
+	    min_version = _HTTP_TLS_1_0;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MinTLS1.1"))
1d75c0
+	    min_version = _HTTP_TLS_1_1;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MinTLS1.2"))
1d75c0
+	    min_version = _HTTP_TLS_1_2;
1d75c0
+	  else if (!_cups_strcasecmp(start, "MinTLS1.3"))
1d75c0
+	    min_version = _HTTP_TLS_1_3;
1d75c0
+	  else if (!_cups_strcasecmp(start, "None"))
1d75c0
+	    options = _HTTP_TLS_NONE;
1d75c0
 	  else if (_cups_strcasecmp(start, "NoEmptyFragments"))
1d75c0
 	    cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
1d75c0
         }
1d75c0
       }
1d75c0
 
1d75c0
-      _httpTLSSetOptions(options);
1d75c0
+      _httpTLSSetOptions(options, min_version, max_version);
1d75c0
     }
1d75c0
 #endif /* HAVE_SSL */
1d75c0
     else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")