|
|
68a3ed |
diff -up cups-1.6.3/cups/http.c.str4476 cups-1.6.3/cups/http.c
|
|
|
68a3ed |
--- cups-1.6.3/cups/http.c.str4476 2013-06-07 02:12:52.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/cups/http.c 2015-06-23 14:05:39.872805417 +0100
|
|
|
68a3ed |
@@ -175,6 +175,8 @@ static int http_write_ssl(http_t *http,
|
|
|
68a3ed |
* Local globals...
|
|
|
68a3ed |
*/
|
|
|
68a3ed |
|
|
|
68a3ed |
+static int tls_options = 0; /* Options for TLS connections */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
static const char * const http_fields[] =
|
|
|
68a3ed |
{
|
|
|
68a3ed |
"Accept-Language",
|
|
|
68a3ed |
@@ -3722,7 +3724,10 @@ http_send(http_t *http, /* I - Con
|
|
|
68a3ed |
if (http->encryption == HTTP_ENCRYPT_REQUIRED && !http->tls)
|
|
|
68a3ed |
{
|
|
|
68a3ed |
httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
|
|
|
68a3ed |
- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.0,SSL/2.0,SSL/3.0");
|
|
|
68a3ed |
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
68a3ed |
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
|
|
|
68a3ed |
+ else
|
|
|
68a3ed |
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
|
|
|
68a3ed |
}
|
|
|
68a3ed |
#endif /* HAVE_SSL */
|
|
|
68a3ed |
|
|
|
68a3ed |
@@ -3959,6 +3964,10 @@ http_setup_ssl(http_t *http) /* I - Con
|
|
|
68a3ed |
context = SSL_CTX_new(SSLv23_client_method());
|
|
|
68a3ed |
|
|
|
68a3ed |
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
|
|
|
68a3ed |
+ if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
|
|
|
68a3ed |
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
|
|
|
68a3ed |
+ if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
|
|
|
68a3ed |
+ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
|
|
|
68a3ed |
|
|
|
68a3ed |
bio = BIO_new(_httpBIOMethods());
|
|
|
68a3ed |
BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
|
|
|
68a3ed |
@@ -4018,7 +4027,16 @@ http_setup_ssl(http_t *http) /* I - Con
|
|
|
68a3ed |
gnutls_certificate_allocate_credentials(credentials);
|
|
|
68a3ed |
|
|
|
68a3ed |
gnutls_init(&http->tls, GNUTLS_CLIENT);
|
|
|
68a3ed |
- gnutls_set_default_priority(http->tls);
|
|
|
68a3ed |
+ if (!tls_options)
|
|
|
68a3ed |
+ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
|
|
|
68a3ed |
+ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
|
|
|
68a3ed |
+ (tls_options & _HTTP_TLS_ALLOW_RC4))
|
|
|
68a3ed |
+ gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
|
|
|
68a3ed |
+ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
68a3ed |
+ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
|
|
|
68a3ed |
+ else
|
|
|
68a3ed |
+ gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
|
|
|
68a3ed |
+
|
|
|
68a3ed |
gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
|
|
|
68a3ed |
strlen(hostname));
|
|
|
68a3ed |
gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
|
|
|
68a3ed |
@@ -4433,7 +4451,10 @@ http_upgrade(http_t *http) /* I - Conne
|
|
|
68a3ed |
|
|
|
68a3ed |
httpClearFields(http);
|
|
|
68a3ed |
httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
|
|
|
68a3ed |
- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
|
|
|
68a3ed |
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
|
|
68a3ed |
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
|
|
|
68a3ed |
+ else
|
|
|
68a3ed |
+ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
|
|
|
68a3ed |
|
|
|
68a3ed |
if ((ret = httpOptions(http, "*")) == 0)
|
|
|
68a3ed |
{
|
|
|
68a3ed |
@@ -4764,6 +4785,16 @@ http_write_ssl(http_t *http, /* I -
|
|
|
68a3ed |
}
|
|
|
68a3ed |
#endif /* HAVE_SSL */
|
|
|
68a3ed |
|
|
|
68a3ed |
+/*
|
|
|
68a3ed |
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+void
|
|
|
68a3ed |
+_httpTLSSetOptions(int options)
|
|
|
68a3ed |
+{
|
|
|
68a3ed |
+ tls_options = options;
|
|
|
68a3ed |
+}
|
|
|
68a3ed |
+
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
* End of "$Id: http.c 7850 2008-08-20 00:07:25Z mike $".
|
|
|
68a3ed |
diff -up cups-1.6.3/cups/http-private.h.str4476 cups-1.6.3/cups/http-private.h
|
|
|
68a3ed |
--- cups-1.6.3/cups/http-private.h.str4476 2015-06-23 14:04:45.244230171 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/cups/http-private.h 2015-06-23 14:05:39.873805409 +0100
|
|
|
68a3ed |
@@ -140,6 +140,10 @@ extern "C" {
|
|
|
68a3ed |
#define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
|
|
|
68a3ed |
#define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
|
|
|
68a3ed |
|
|
|
68a3ed |
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
|
|
|
68a3ed |
+#define _HTTP_TLS_ALLOW_RC4 2
|
|
|
68a3ed |
+#define _HTTP_TLS_ALLOW_SSL3 4
|
|
|
68a3ed |
+
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
* Types and functions for SSL support...
|
|
|
68a3ed |
@@ -377,6 +381,8 @@ extern const char *_httpResolveURI(const
|
|
|
68a3ed |
extern int _httpUpdate(http_t *http, http_status_t *status);
|
|
|
68a3ed |
extern int _httpWait(http_t *http, int msec, int usessl);
|
|
|
68a3ed |
|
|
|
68a3ed |
+extern void _httpTLSSetOptions(int options);
|
|
|
68a3ed |
+
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
* C++ magic...
|
|
|
68a3ed |
diff -up cups-1.6.3/cups/usersys.c.str4476 cups-1.6.3/cups/usersys.c
|
|
|
68a3ed |
--- cups-1.6.3/cups/usersys.c.str4476 2015-06-23 14:04:45.268229986 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/cups/usersys.c 2015-06-23 14:05:39.873805409 +0100
|
|
|
68a3ed |
@@ -72,7 +72,8 @@ static void cups_read_client_conf(cups_f
|
|
|
68a3ed |
#endif /* HAVE_GSSAPI */
|
|
|
68a3ed |
const char *cups_anyroot,
|
|
|
68a3ed |
const char *cups_expiredroot,
|
|
|
68a3ed |
- const char *cups_expiredcerts);
|
|
|
68a3ed |
+ const char *cups_expiredcerts,
|
|
|
68a3ed |
+ int ssl_options);
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
@@ -257,6 +258,9 @@ cupsSetEncryption(http_encryption_t e) /
|
|
|
68a3ed |
_cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
+ if (cg->encryption == (http_encryption_t)-1)
|
|
|
68a3ed |
+ _cupsSetDefaults();
|
|
|
68a3ed |
+
|
|
|
68a3ed |
cg->encryption = e;
|
|
|
68a3ed |
|
|
|
68a3ed |
if (cg->http)
|
|
|
68a3ed |
@@ -823,7 +827,36 @@ _cupsSetDefaults(void)
|
|
|
68a3ed |
if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
|
|
|
68a3ed |
!cg->user[0] || !cg->ipp_port)
|
|
|
68a3ed |
{
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Look for CUPS_SERVERROOT/client.conf...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ snprintf(filename, sizeof(filename), "%s/client.conf",
|
|
|
68a3ed |
+ cg->cups_serverroot);
|
|
|
68a3ed |
+ fp = cupsFileOpen(filename, "r");
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Read the configuration file and apply any environment variables; both
|
|
|
68a3ed |
+ * functions handle NULL cups_file_t pointers...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
|
|
68a3ed |
+#ifdef HAVE_GSSAPI
|
|
|
68a3ed |
+ cups_gssservicename,
|
|
|
68a3ed |
+#endif /* HAVE_GSSAPI */
|
|
|
68a3ed |
+ cups_anyroot, cups_expiredroot,
|
|
|
68a3ed |
+ cups_expiredcerts, 1);
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Then user defaults, if it is safe to do so...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+#ifdef HAVE_GETEUID
|
|
|
68a3ed |
+ if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() &&
|
|
|
68a3ed |
+ (home = getenv("HOME")) != NULL)
|
|
|
68a3ed |
+#else
|
|
|
68a3ed |
if ((home = getenv("HOME")) != NULL)
|
|
|
68a3ed |
+#endif
|
|
|
68a3ed |
{
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
* Look for ~/.cups/client.conf...
|
|
|
68a3ed |
@@ -831,33 +864,20 @@ _cupsSetDefaults(void)
|
|
|
68a3ed |
|
|
|
68a3ed |
snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
|
|
|
68a3ed |
fp = cupsFileOpen(filename, "r");
|
|
|
68a3ed |
- }
|
|
|
68a3ed |
- else
|
|
|
68a3ed |
- fp = NULL;
|
|
|
68a3ed |
|
|
|
68a3ed |
- if (!fp)
|
|
|
68a3ed |
- {
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
- * Look for CUPS_SERVERROOT/client.conf...
|
|
|
68a3ed |
+ * Read the configuration file and apply any environment variables; both
|
|
|
68a3ed |
+ * functions handle NULL cups_file_t pointers...
|
|
|
68a3ed |
*/
|
|
|
68a3ed |
|
|
|
68a3ed |
- snprintf(filename, sizeof(filename), "%s/client.conf",
|
|
|
68a3ed |
- cg->cups_serverroot);
|
|
|
68a3ed |
- fp = cupsFileOpen(filename, "r");
|
|
|
68a3ed |
- }
|
|
|
68a3ed |
-
|
|
|
68a3ed |
- /*
|
|
|
68a3ed |
- * Read the configuration file and apply any environment variables; both
|
|
|
68a3ed |
- * functions handle NULL cups_file_t pointers...
|
|
|
68a3ed |
- */
|
|
|
68a3ed |
-
|
|
|
68a3ed |
- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
|
|
68a3ed |
+ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
|
|
68a3ed |
#ifdef HAVE_GSSAPI
|
|
|
68a3ed |
- cups_gssservicename,
|
|
|
68a3ed |
+ cups_gssservicename,
|
|
|
68a3ed |
#endif /* HAVE_GSSAPI */
|
|
|
68a3ed |
- cups_anyroot, cups_expiredroot,
|
|
|
68a3ed |
- cups_expiredcerts);
|
|
|
68a3ed |
- cupsFileClose(fp);
|
|
|
68a3ed |
+ cups_anyroot, cups_expiredroot,
|
|
|
68a3ed |
+ cups_expiredcerts, 0);
|
|
|
68a3ed |
+ cupsFileClose(fp);
|
|
|
68a3ed |
+ }
|
|
|
68a3ed |
}
|
|
|
68a3ed |
}
|
|
|
68a3ed |
|
|
|
68a3ed |
@@ -879,7 +899,8 @@ cups_read_client_conf(
|
|
|
68a3ed |
#endif /* HAVE_GSSAPI */
|
|
|
68a3ed |
const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
|
|
|
68a3ed |
const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */
|
|
|
68a3ed |
- const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
|
|
|
68a3ed |
+ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
|
|
|
68a3ed |
+ int ssl_options) /* I - Allow setting of SSLOptions? */
|
|
|
68a3ed |
{
|
|
|
68a3ed |
int linenum; /* Current line number */
|
|
|
68a3ed |
char line[1024], /* Line from file */
|
|
|
68a3ed |
@@ -952,6 +973,43 @@ cups_read_client_conf(
|
|
|
68a3ed |
cups_gssservicename = gss_service_name;
|
|
|
68a3ed |
}
|
|
|
68a3ed |
#endif /* HAVE_GSSAPI */
|
|
|
68a3ed |
+ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
|
|
|
68a3ed |
+ {
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * SSLOptions [AllowRC4] [AllowSSL3] [None]
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ int options = 0; /* SSL/TLS options */
|
|
|
68a3ed |
+ char *start, /* Start of option */
|
|
|
68a3ed |
+ *end; /* End of option */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ for (start = value; *start; start = end)
|
|
|
68a3ed |
+ {
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Find end of keyword...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ end = start;
|
|
|
68a3ed |
+ while (*end && !_cups_isspace(*end))
|
|
|
68a3ed |
+ end++;
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ if (*end)
|
|
|
68a3ed |
+ *end++ = '\0';
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Compare...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ if (!_cups_strcasecmp(start, "AllowRC4"))
|
|
|
68a3ed |
+ options |= _HTTP_TLS_ALLOW_RC4;
|
|
|
68a3ed |
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
|
|
68a3ed |
+ options |= _HTTP_TLS_ALLOW_SSL3;
|
|
|
68a3ed |
+ else if (!_cups_strcasecmp(start, "None"))
|
|
|
68a3ed |
+ options = 0;
|
|
|
68a3ed |
+ }
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ _httpTLSSetOptions(options);
|
|
|
68a3ed |
+ }
|
|
|
68a3ed |
}
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
diff -up cups-1.6.3/doc/help/ref-client-conf.html.str4476 cups-1.6.3/doc/help/ref-client-conf.html
|
|
|
68a3ed |
--- cups-1.6.3/doc/help/ref-client-conf.html.str4476 2013-06-25 15:38:12.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/doc/help/ref-client-conf.html 2015-06-23 14:05:39.873805409 +0100
|
|
|
68a3ed |
@@ -76,6 +76,26 @@ present, only the last one is used. This
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+Examples
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+SSLOptions None
|
|
|
68a3ed |
+SSLOptions AllowSSL3
|
|
|
68a3ed |
+SSLOptions AllowRC4
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+Description
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+Sets encryption options (only in /etc/cups/client.conf). By
|
|
|
68a3ed |
+default, CUPS only supports encryption using TLS v1.0 or higher using
|
|
|
68a3ed |
+known secure cipher suites. The AllowRC4 option enables the
|
|
|
68a3ed |
+128-bit RC4 cipher suites, which are required for some older clients
|
|
|
68a3ed |
+that do not implement newer ones. The AllowSSL3 option enables
|
|
|
68a3ed |
+SSL v3.0, which is required for some older clients that do not support
|
|
|
68a3ed |
+TLS v1.0.
|
|
|
68a3ed |
+
|
|
|
68a3ed |
CUPS 1.6/OS X 10.8User
|
|
|
68a3ed |
|
|
|
68a3ed |
Examples
|
|
|
68a3ed |
diff -up cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 cups-1.6.3/doc/help/ref-cupsd-conf.html.in
|
|
|
68a3ed |
--- cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 2013-05-10 17:52:10.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/doc/help/ref-cupsd-conf.html.in 2015-06-23 14:05:39.873805409 +0100
|
|
|
68a3ed |
@@ -2011,23 +2011,23 @@ SetEnv MY_ENV_VAR foo
|
|
|
68a3ed |
variable that should be passed to child processes.
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
-
|
|
|
68a3ed |
+
|
|
|
68a3ed |
|
|
|
68a3ed |
Examples
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
-SSLListen 127.0.0.1:443
|
|
|
68a3ed |
-SSLListen 192.0.2.1:443
|
|
|
68a3ed |
+SSLOptions 127.0.0.1:443
|
|
|
68a3ed |
+SSLOptions 192.0.2.1:443
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
Description
|
|
|
68a3ed |
|
|
|
68a3ed |
-The SSLListen directive specifies a network
|
|
|
68a3ed |
+The SSLOptions directive specifies a network
|
|
|
68a3ed |
address and port to listen for secure connections. Multiple
|
|
|
68a3ed |
-SSLListen directives can be provided to listen on
|
|
|
68a3ed |
+SSLOptions directives can be provided to listen on
|
|
|
68a3ed |
multiple addresses.
|
|
|
68a3ed |
|
|
|
68a3ed |
-The SSLListen directive is similar to the
|
|
|
68a3ed |
+The SSLOptions directive is similar to the
|
|
|
68a3ed |
HREF="#SSLPort">SSLPort directive but allows you
|
|
|
68a3ed |
to restrict access to specific interfaces or networks.
|
|
|
68a3ed |
|
|
|
68a3ed |
@@ -2039,15 +2039,22 @@ to restrict access to specific interface
|
|
|
68a3ed |
|
|
|
68a3ed |
SSLOptions None
|
|
|
68a3ed |
SSLOptions NoEmptyFragments
|
|
|
68a3ed |
+SSLOptions AllowSSL3
|
|
|
68a3ed |
+SSLOptions AllowRC4
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
Description
|
|
|
68a3ed |
|
|
|
68a3ed |
The SSLOptions directive specifies additional SSL/TLS
|
|
|
68a3ed |
-protocol options to use for encrypted connected. Currently only two
|
|
|
68a3ed |
-options are supported - None (the default) for the most
|
|
|
68a3ed |
-secure mode and NoEmptyFragments to allow CUPS to work with
|
|
|
68a3ed |
-Microsoft Windows with the FIPS conformance mode enabled.
|
|
|
68a3ed |
+protocol options to use for encrypted connected. By default, CUPS only
|
|
|
68a3ed |
+supports encryption using TLS v1.0 or higher using known secure cipher
|
|
|
68a3ed |
+suites. The NoEmptyFragments option allows CUPS to work
|
|
|
68a3ed |
+with Microsoft Windows with the FIPS conformance mode
|
|
|
68a3ed |
+enabled. The AllowRC4 option enables the 128-bit RC4
|
|
|
68a3ed |
+cipher suites, which are required for some older clients that do not
|
|
|
68a3ed |
+implement newer ones. The AllowSSL3 option enables SSL
|
|
|
68a3ed |
+v3.0, which is required for some older clients that do not support TLS
|
|
|
68a3ed |
+v1.0.
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
diff -up cups-1.6.3/man/client.conf.man.in.str4476 cups-1.6.3/man/client.conf.man.in
|
|
|
68a3ed |
--- cups-1.6.3/man/client.conf.man.in.str4476 2013-06-25 15:38:12.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/man/client.conf.man.in 2015-06-23 14:05:39.874805401 +0100
|
|
|
68a3ed |
@@ -53,6 +53,15 @@ Specifies the address and optionally the
|
|
|
68a3ed |
server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
|
|
|
68a3ed |
later.\fR
|
|
|
68a3ed |
.TP 5
|
|
|
68a3ed |
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
|
|
|
68a3ed |
+.br
|
|
|
68a3ed |
+Sets SSL/TLS protocol options for encrypted connections. By default,
|
|
|
68a3ed |
+CUPS only supports encryption using TLS v1.0 or higher using known
|
|
|
68a3ed |
+secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
|
|
|
68a3ed |
+RC4 cipher suites, which are required for some older clients that do
|
|
|
68a3ed |
+not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
|
|
|
68a3ed |
+which is required for some older clients that do not support TLS v1.0.
|
|
|
68a3ed |
+.TP 5
|
|
|
68a3ed |
User name
|
|
|
68a3ed |
.br
|
|
|
68a3ed |
Specifies the default user name to use for requests.
|
|
|
68a3ed |
diff -up cups-1.6.3/man/cupsd.conf.man.in.str4476 cups-1.6.3/man/cupsd.conf.man.in
|
|
|
68a3ed |
--- cups-1.6.3/man/cupsd.conf.man.in.str4476 2015-06-23 14:04:45.278229909 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/man/cupsd.conf.man.in 2015-06-23 14:05:39.874805401 +0100
|
|
|
68a3ed |
@@ -480,9 +480,16 @@ Listens on the specified address and por
|
|
|
68a3ed |
.TP 5
|
|
|
68a3ed |
SSLOptions None
|
|
|
68a3ed |
.TP 5
|
|
|
68a3ed |
-SSLOptions NoEmptyFragments
|
|
|
68a3ed |
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
|
|
|
68a3ed |
.br
|
|
|
68a3ed |
-Sets SSL/TLS protocol options for encrypted connections.
|
|
|
68a3ed |
+Sets SSL/TLS protocol options for encrypted connections. By default,
|
|
|
68a3ed |
+CUPS only supports encryption using TLS v1.0 or higher using known
|
|
|
68a3ed |
+secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
|
|
|
68a3ed |
+work with Microsoft Windows with the FIPS conformance mode
|
|
|
68a3ed |
+enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
|
|
|
68a3ed |
+suites, which are required for some older clients that do not
|
|
|
68a3ed |
+implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
|
|
|
68a3ed |
+which is required for some older clients that do not support TLS v1.0.
|
|
|
68a3ed |
.TP 5
|
|
|
68a3ed |
SSLPort
|
|
|
68a3ed |
.br
|
|
|
68a3ed |
diff -up cups-1.6.3/scheduler/conf.c.str4476 cups-1.6.3/scheduler/conf.c
|
|
|
68a3ed |
--- cups-1.6.3/scheduler/conf.c.str4476 2015-06-23 14:04:45.298229754 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/scheduler/conf.c 2015-06-23 14:05:39.874805401 +0100
|
|
|
68a3ed |
@@ -3361,17 +3361,54 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
|
|
68a3ed |
else if (!_cups_strcasecmp(line, "SSLOptions"))
|
|
|
68a3ed |
{
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
+ * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ int options = 0; /* SSL/TLS options */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
* SSLOptions options
|
|
|
68a3ed |
*/
|
|
|
68a3ed |
|
|
|
68a3ed |
- if (!value || !_cups_strcasecmp(value, "none"))
|
|
|
68a3ed |
- SSLOptions = CUPSD_SSL_NONE;
|
|
|
68a3ed |
- else if (!_cups_strcasecmp(value, "noemptyfragments"))
|
|
|
68a3ed |
- SSLOptions = CUPSD_SSL_NOEMPTY;
|
|
|
68a3ed |
- else
|
|
|
68a3ed |
- cupsdLogMessage(CUPSD_LOG_ERROR,
|
|
|
68a3ed |
- "Unknown value \"%s\" for SSLOptions directive on "
|
|
|
68a3ed |
- "line %d.", value, linenum);
|
|
|
68a3ed |
+ if (value)
|
|
|
68a3ed |
+ {
|
|
|
68a3ed |
+ char *start, /* Start of option */
|
|
|
68a3ed |
+ *end; /* End of option */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ for (start = value; *start; start = end)
|
|
|
68a3ed |
+ {
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Find end of keyword...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ end = start;
|
|
|
68a3ed |
+ while (*end && !_cups_isspace(*end))
|
|
|
68a3ed |
+ end++;
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ if (*end)
|
|
|
68a3ed |
+ *end++ = '\0';
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ /*
|
|
|
68a3ed |
+ * Compare...
|
|
|
68a3ed |
+ */
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ if (!_cups_strcasecmp(start, "NoEmptyFragments"))
|
|
|
68a3ed |
+ options |= CUPSD_SSL_NOEMPTY;
|
|
|
68a3ed |
+ else if (!_cups_strcasecmp(start, "AllowRC4"))
|
|
|
68a3ed |
+ options |= CUPSD_SSL_ALLOW_RC4;
|
|
|
68a3ed |
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
|
|
68a3ed |
+ options |= CUPSD_SSL_ALLOW_SSL3;
|
|
|
68a3ed |
+ else if (!_cups_strcasecmp(start, "None"))
|
|
|
68a3ed |
+ options = 0;
|
|
|
68a3ed |
+ else
|
|
|
68a3ed |
+ cupsdLogMessage(CUPSD_LOG_ERROR,
|
|
|
68a3ed |
+ "Unknown value \"%s\" for SSLOptions directive on "
|
|
|
68a3ed |
+ "line %d.", start, linenum);
|
|
|
68a3ed |
+ }
|
|
|
68a3ed |
+ }
|
|
|
68a3ed |
+
|
|
|
68a3ed |
+ SSLOptions = options;
|
|
|
68a3ed |
+ _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
|
|
|
68a3ed |
}
|
|
|
68a3ed |
#endif /* HAVE_SSL */
|
|
|
68a3ed |
else if (!_cups_strcasecmp(line, "AccessLog") ||
|
|
|
68a3ed |
diff -up cups-1.6.3/scheduler/conf.h.str4476 cups-1.6.3/scheduler/conf.h
|
|
|
68a3ed |
--- cups-1.6.3/scheduler/conf.h.str4476 2015-06-23 14:04:45.298229754 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/scheduler/conf.h 2015-06-23 14:05:39.874805401 +0100
|
|
|
68a3ed |
@@ -78,6 +78,8 @@ typedef enum
|
|
|
68a3ed |
|
|
|
68a3ed |
#define CUPSD_SSL_NONE 0 /* No special options */
|
|
|
68a3ed |
#define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */
|
|
|
68a3ed |
+#define CUPSD_SSL_ALLOW_RC4 2 /* Allow RC4 cipher suites */
|
|
|
68a3ed |
+#define CUPSD_SSL_ALLOW_SSL3 4 /* Allow SSL 3.0 */
|
|
|
68a3ed |
|
|
|
68a3ed |
|
|
|
68a3ed |
/*
|
|
|
68a3ed |
diff -up cups-1.6.3/scheduler/tls-gnutls.c.str4476 cups-1.6.3/scheduler/tls-gnutls.c
|
|
|
68a3ed |
--- cups-1.6.3/scheduler/tls-gnutls.c.str4476 2013-06-07 02:12:52.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/scheduler/tls-gnutls.c 2015-06-23 14:05:39.874805401 +0100
|
|
|
68a3ed |
@@ -114,7 +114,15 @@ cupsdStartTLS(cupsd_client_t *con) /* I
|
|
|
68a3ed |
ServerKey, GNUTLS_X509_FMT_PEM);
|
|
|
68a3ed |
|
|
|
68a3ed |
gnutls_init(&con->http.tls, GNUTLS_SERVER);
|
|
|
68a3ed |
- gnutls_set_default_priority(con->http.tls);
|
|
|
68a3ed |
+ if (!SSLOptions)
|
|
|
68a3ed |
+ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
|
|
|
68a3ed |
+ else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
|
|
|
68a3ed |
+ (SSLOptions & CUPSD_SSL_ALLOW_RC4))
|
|
|
68a3ed |
+ gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
|
|
|
68a3ed |
+ else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
|
|
|
68a3ed |
+ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
|
|
|
68a3ed |
+ else
|
|
|
68a3ed |
+ gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
|
|
|
68a3ed |
|
|
|
68a3ed |
gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
|
|
|
68a3ed |
gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));
|
|
|
68a3ed |
diff -up cups-1.6.3/scheduler/tls-openssl.c.str4476 cups-1.6.3/scheduler/tls-openssl.c
|
|
|
68a3ed |
--- cups-1.6.3/scheduler/tls-openssl.c.str4476 2013-06-07 02:12:52.000000000 +0100
|
|
|
68a3ed |
+++ cups-1.6.3/scheduler/tls-openssl.c 2015-06-23 14:05:39.875805393 +0100
|
|
|
68a3ed |
@@ -107,6 +107,10 @@ cupsdStartTLS(cupsd_client_t *con) /* I
|
|
|
68a3ed |
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
|
|
|
68a3ed |
if (SSLOptions & CUPSD_SSL_NOEMPTY)
|
|
|
68a3ed |
SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
|
|
68a3ed |
+ if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
|
|
|
68a3ed |
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
|
|
|
68a3ed |
+ if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
|
|
|
68a3ed |
+ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
|
|
|
68a3ed |
SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
|
|
|
68a3ed |
SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
|
|
|
68a3ed |
|