rpms / cups

Clone
Source Code
GIT

Blame SOURCES/cups-1.6.3-tlsv12.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   87cf9aa48702e2a5f9805fc34ddaef8a44b6f51a
  2.   SOURCES
  3.   cups-1.6.3-tlsv12.patch
Blob History Raw
87cf9a 
diff -up cups-1.6.3/cups/http.c.tlsv12 cups-1.6.3/cups/http.c
87cf9a 
--- cups-1.6.3/cups/http.c.tlsv12	2017-12-12 14:40:02.672393885 +0100
87cf9a 
+++ cups-1.6.3/cups/http.c	2017-12-12 16:45:11.417535244 +0100
87cf9a 
@@ -3726,6 +3726,8 @@ http_send(http_t       *http,	/* I - Con
87cf9a 
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
87cf9a 
     if (tls_options & _HTTP_TLS_ALLOW_SSL3)
87cf9a 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
87cf9a 
+    else if (tls_options & _HTTP_TLS_MIN_TLS12)
87cf9a 
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
87cf9a 
     else
87cf9a 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
87cf9a 
   }
87cf9a 
@@ -3968,6 +3970,8 @@ http_setup_ssl(http_t *http)		/* I - Con
87cf9a 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
87cf9a 
   if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
87cf9a 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
87cf9a 
+  if (tls_options & _HTTP_TLS_MIN_TLS12)
87cf9a 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
87cf9a
87cf9a 
   bio = BIO_new(_httpBIOMethods());
87cf9a 
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
87cf9a 
@@ -4453,6 +4457,8 @@ http_upgrade(http_t *http)		/* I - Conne
87cf9a 
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
87cf9a 
   if (tls_options & _HTTP_TLS_ALLOW_SSL3)
87cf9a 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
87cf9a 
+  else if (tls_options & _HTTP_TLS_MIN_TLS12)
87cf9a 
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
87cf9a 
   else
87cf9a 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
87cf9a
87cf9a 
diff -up cups-1.6.3/cups/http-private.h.tlsv12 cups-1.6.3/cups/http-private.h
87cf9a 
--- cups-1.6.3/cups/http-private.h.tlsv12	2017-12-12 14:40:02.642394135 +0100
87cf9a 
+++ cups-1.6.3/cups/http-private.h	2017-12-12 14:40:02.689393744 +0100
87cf9a 
@@ -143,6 +143,7 @@ extern "C" {
87cf9a 
 /* care - these should be the same values as the CUPSD_SSL_* equivalents */
87cf9a 
 #define _HTTP_TLS_ALLOW_RC4	2
87cf9a 
 #define _HTTP_TLS_ALLOW_SSL3	4
87cf9a 
+#define _HTTP_TLS_MIN_TLS12 8
87cf9a
87cf9a
87cf9a 
 /*
87cf9a 
diff -up cups-1.6.3/cups/usersys.c.tlsv12 cups-1.6.3/cups/usersys.c
87cf9a 
--- cups-1.6.3/cups/usersys.c.tlsv12	2017-12-12 14:40:02.676393852 +0100
87cf9a 
+++ cups-1.6.3/cups/usersys.c	2017-12-12 14:40:02.689393744 +0100
87cf9a 
@@ -992,7 +992,7 @@ cups_read_client_conf(
87cf9a 
     else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
87cf9a 
     {
87cf9a 
      /*
87cf9a 
-      * SSLOptions [AllowRC4] [AllowSSL3] [None]
87cf9a 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [None]
87cf9a 
       */
87cf9a
87cf9a 
       int	options = 0;		/* SSL/TLS options */
87cf9a 
@@ -1020,6 +1020,8 @@ cups_read_client_conf(
87cf9a 
 	  options |= _HTTP_TLS_ALLOW_RC4;
87cf9a 
 	else if (!_cups_strcasecmp(start, "AllowSSL3"))
87cf9a 
 	  options |= _HTTP_TLS_ALLOW_SSL3;
87cf9a 
+	else if (!_cups_strcasecmp(start, "MinTLS1.2"))
87cf9a 
+	  options |= _HTTP_TLS_MIN_TLS12;
87cf9a 
 	else if (!_cups_strcasecmp(start, "None"))
87cf9a 
 	  options = 0;
87cf9a 
       }
87cf9a 
diff -up cups-1.6.3/man/client.conf.man.in.tlsv12 cups-1.6.3/man/client.conf.man.in
87cf9a 
--- cups-1.6.3/man/client.conf.man.in.tlsv12	2017-12-12 14:40:02.643394126 +0100
87cf9a 
+++ cups-1.6.3/man/client.conf.man.in	2017-12-14 12:51:09.366872384 +0100
87cf9a 
@@ -53,14 +53,15 @@ Specifies the address and optionally the
87cf9a 
 server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
87cf9a 
 later.\fR
87cf9a 
 .TP 5
87cf9a 
-SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
87cf9a 
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
87cf9a 
 .br
87cf9a 
 Sets SSL/TLS protocol options for encrypted connections. By default,
87cf9a 
 CUPS only supports encryption using TLS v1.0 or higher using known
87cf9a 
 secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
87cf9a 
 RC4 cipher suites, which are required for some older clients that do
87cf9a 
 not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
87cf9a 
-which is required for some older clients that do not support TLS v1.0.
87cf9a 
+which is required for some older clients that do not support TLS v1.0.
87cf9a 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
87cf9a 
 .TP 5
87cf9a 
 User name
87cf9a 
 .br
87cf9a 
diff -up cups-1.6.3/man/cupsd.conf.man.in.tlsv12 cups-1.6.3/man/cupsd.conf.man.in
87cf9a 
--- cups-1.6.3/man/cupsd.conf.man.in.tlsv12	2017-12-14 12:42:34.233473538 +0100
87cf9a 
+++ cups-1.6.3/man/cupsd.conf.man.in	2017-12-14 12:51:09.327872724 +0100
87cf9a 
@@ -480,7 +480,7 @@ Listens on the specified address and por
87cf9a 
 .TP 5
87cf9a 
 SSLOptions None
87cf9a 
 .TP 5
87cf9a 
-SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
87cf9a 
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
87cf9a 
 .br
87cf9a 
 Sets SSL/TLS protocol options for encrypted connections. By default,
87cf9a 
 CUPS only supports encryption using TLS v1.0 or higher using known
87cf9a 
@@ -490,6 +490,7 @@ enabled. The \fIAllowRC4\fR option enabl
87cf9a 
 suites, which are required for some older clients that do not
87cf9a 
 implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
87cf9a 
 which is required for some older clients that do not support TLS v1.0.
87cf9a 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
87cf9a 
 .TP 5
87cf9a 
 SSLPort
87cf9a 
 .br
87cf9a 
diff -up cups-1.6.3/scheduler/client.c.tlsv12 cups-1.6.3/scheduler/client.c
87cf9a 
--- cups-1.6.3/scheduler/client.c.tlsv12	2017-12-12 15:18:01.683589773 +0100
87cf9a 
+++ cups-1.6.3/scheduler/client.c	2017-12-12 16:44:38.721796794 +0100
87cf9a 
@@ -1189,7 +1189,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
87cf9a 
 	}
87cf9a
87cf9a 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
87cf9a 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
87cf9a 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
87cf9a 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
87cf9a 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
87cf9a 
+	else
87cf9a 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
87cf9a 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
87cf9a 
 	httpPrintf(HTTP(con), "\r\n");
87cf9a
87cf9a 
@@ -1263,7 +1268,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
87cf9a 
 	}
87cf9a
87cf9a 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
87cf9a 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
87cf9a 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
87cf9a 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
87cf9a 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
87cf9a 
+	else
87cf9a 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
87cf9a 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
87cf9a 
 	httpPrintf(HTTP(con), "\r\n");
87cf9a
87cf9a 
diff -up cups-1.6.3/scheduler/conf.c.tlsv12 cups-1.6.3/scheduler/conf.c
87cf9a 
--- cups-1.6.3/scheduler/conf.c.tlsv12	2017-12-12 14:40:02.681393811 +0100
87cf9a 
+++ cups-1.6.3/scheduler/conf.c	2017-12-12 14:40:02.689393744 +0100
87cf9a 
@@ -3383,7 +3383,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
87cf9a 
     else if (!_cups_strcasecmp(line, "SSLOptions"))
87cf9a 
     {
87cf9a 
      /*
87cf9a 
-      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
87cf9a 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [NoEmptyFragments] [None]
87cf9a 
       */
87cf9a
87cf9a 
       int	options = 0;	/* SSL/TLS options */
87cf9a 
@@ -3420,6 +3420,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
87cf9a 
 	    options |= CUPSD_SSL_ALLOW_RC4;
87cf9a 
 	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
87cf9a 
 	    options |= CUPSD_SSL_ALLOW_SSL3;
87cf9a 
+	  else if (!_cups_strcasecmp(start, "MinTLS1.2"))
87cf9a 
+	    options |= CUPSD_SSL_MIN_TLS12;
87cf9a 
 	  else if (!_cups_strcasecmp(start, "None"))
87cf9a 
 	    options = 0;
87cf9a 
 	  else
87cf9a 
diff -up cups-1.6.3/scheduler/conf.h.tlsv12 cups-1.6.3/scheduler/conf.h
87cf9a 
--- cups-1.6.3/scheduler/conf.h.tlsv12	2017-12-12 14:40:02.681393811 +0100
87cf9a 
+++ cups-1.6.3/scheduler/conf.h	2017-12-12 14:40:02.690393736 +0100
87cf9a 
@@ -80,7 +80,7 @@ typedef enum
87cf9a 
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
87cf9a 
 #define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
87cf9a 
 #define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
87cf9a 
-
87cf9a 
+#define CUPSD_SSL_MIN_TLS12    8   /* Deny TLS 1.1 */
87cf9a
87cf9a 
 /*
87cf9a 
  * ServerAlias data...
87cf9a 
diff -up cups-1.6.3/scheduler/tls-openssl.c.tlsv12 cups-1.6.3/scheduler/tls-openssl.c
87cf9a 
--- cups-1.6.3/scheduler/tls-openssl.c.tlsv12	2017-12-12 14:40:02.645394110 +0100
87cf9a 
+++ cups-1.6.3/scheduler/tls-openssl.c	2017-12-12 16:49:10.357623844 +0100
87cf9a 
@@ -111,6 +111,9 @@ cupsdStartTLS(cupsd_client_t *con)	/* I
87cf9a 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
87cf9a 
   if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
87cf9a 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
87cf9a 
+  if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
87cf9a 
+      !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
87cf9a 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
87cf9a 
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
87cf9a 
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
87cf9a

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation