diff -up cups-1.6.3/cups/http.c.str4476 cups-1.6.3/cups/http.c
--- cups-1.6.3/cups/http.c.str4476	2013-06-07 02:12:52.000000000 +0100
+++ cups-1.6.3/cups/http.c	2015-06-23 14:05:39.872805417 +0100
@@ -175,6 +175,8 @@ static int		http_write_ssl(http_t *http,
  * Local globals...
  */
 
+static int		tls_options = 0; /* Options for TLS connections */
+
 static const char * const http_fields[] =
 			{
 			  "Accept-Language",
@@ -3722,7 +3724,10 @@ http_send(http_t       *http,	/* I - Con
   if (http->encryption == HTTP_ENCRYPT_REQUIRED && !http->tls)
   {
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
-    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.0,SSL/2.0,SSL/3.0");
+    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
+    else
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
   }
 #endif /* HAVE_SSL */
 
@@ -3959,6 +3964,10 @@ http_setup_ssl(http_t *http)		/* I - Con
   context = SSL_CTX_new(SSLv23_client_method());
 
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
 
   bio = BIO_new(_httpBIOMethods());
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
@@ -4018,7 +4027,16 @@ http_setup_ssl(http_t *http)		/* I - Con
   gnutls_certificate_allocate_credentials(credentials);
 
   gnutls_init(&http->tls, GNUTLS_CLIENT);
-  gnutls_set_default_priority(http->tls);
+  if (!tls_options)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
+	   (tls_options & _HTTP_TLS_ALLOW_RC4))
+    gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
+  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
+
   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
                          strlen(hostname));
   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
@@ -4433,7 +4451,10 @@ http_upgrade(http_t *http)		/* I - Conne
 
   httpClearFields(http);
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
-  httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
+  if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
+  else
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
 
   if ((ret = httpOptions(http, "*")) == 0)
   {
@@ -4764,6 +4785,16 @@ http_write_ssl(http_t     *http,	/* I -
 }
 #endif /* HAVE_SSL */
 
+/*
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
+ */
+
+void
+_httpTLSSetOptions(int options)
+{
+  tls_options = options;
+}
+
 
 /*
  * End of "$Id: http.c 7850 2008-08-20 00:07:25Z mike $".
diff -up cups-1.6.3/cups/http-private.h.str4476 cups-1.6.3/cups/http-private.h
--- cups-1.6.3/cups/http-private.h.str4476	2015-06-23 14:04:45.244230171 +0100
+++ cups-1.6.3/cups/http-private.h	2015-06-23 14:05:39.873805409 +0100
@@ -140,6 +140,10 @@ extern "C" {
 #define _HTTP_RESOLVE_FQDN	2	/* Resolve to a FQDN */
 #define _HTTP_RESOLVE_FAXOUT	4	/* Resolve FaxOut service? */
 
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
+#define _HTTP_TLS_ALLOW_RC4	2
+#define _HTTP_TLS_ALLOW_SSL3	4
+
 
 /*
  * Types and functions for SSL support...
@@ -377,6 +381,8 @@ extern const char	*_httpResolveURI(const
 extern int		_httpUpdate(http_t *http, http_status_t *status);
 extern int		_httpWait(http_t *http, int msec, int usessl);
 
+extern void		_httpTLSSetOptions(int options);
+
 
 /*
  * C++ magic...
diff -up cups-1.6.3/cups/usersys.c.str4476 cups-1.6.3/cups/usersys.c
--- cups-1.6.3/cups/usersys.c.str4476	2015-06-23 14:04:45.268229986 +0100
+++ cups-1.6.3/cups/usersys.c	2015-06-23 14:05:39.873805409 +0100
@@ -72,7 +72,8 @@ static void	cups_read_client_conf(cups_f
 #endif /* HAVE_GSSAPI */
 				      const char *cups_anyroot,
 				      const char *cups_expiredroot,
-				      const char *cups_expiredcerts);
+				      const char *cups_expiredcerts,
+				      int ssl_options);
 
 
 /*
@@ -257,6 +258,9 @@ cupsSetEncryption(http_encryption_t e)	/
   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
 
 
+  if (cg->encryption == (http_encryption_t)-1)
+    _cupsSetDefaults();
+
   cg->encryption = e;
 
   if (cg->http)
@@ -823,7 +827,36 @@ _cupsSetDefaults(void)
   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
       !cg->user[0] || !cg->ipp_port)
   {
+   /*
+    * Look for CUPS_SERVERROOT/client.conf...
+    */
+
+    snprintf(filename, sizeof(filename), "%s/client.conf",
+	     cg->cups_serverroot);
+    fp = cupsFileOpen(filename, "r");
+
+   /*
+    * Read the configuration file and apply any environment variables; both
+    * functions handle NULL cups_file_t pointers...
+    */
+
+    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+#ifdef HAVE_GSSAPI
+			  cups_gssservicename,
+#endif /* HAVE_GSSAPI */
+			  cups_anyroot, cups_expiredroot,
+			  cups_expiredcerts, 1);
+
+   /*
+    * Then user defaults, if it is safe to do so...
+    */
+
+#ifdef HAVE_GETEUID
+    if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() &&
+	(home = getenv("HOME")) != NULL)
+#else
     if ((home = getenv("HOME")) != NULL)
+#endif
     {
      /*
       * Look for ~/.cups/client.conf...
@@ -831,33 +864,20 @@ _cupsSetDefaults(void)
 
       snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
       fp = cupsFileOpen(filename, "r");
-    }
-    else
-      fp = NULL;
 
-    if (!fp)
-    {
      /*
-      * Look for CUPS_SERVERROOT/client.conf...
+      * Read the configuration file and apply any environment variables; both
+      * functions handle NULL cups_file_t pointers...
       */
 
-      snprintf(filename, sizeof(filename), "%s/client.conf",
-               cg->cups_serverroot);
-      fp = cupsFileOpen(filename, "r");
-    }
-
-   /*
-    * Read the configuration file and apply any environment variables; both
-    * functions handle NULL cups_file_t pointers...
-    */
-
-    cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+      cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
 #ifdef HAVE_GSSAPI
-			  cups_gssservicename,
+			    cups_gssservicename,
 #endif /* HAVE_GSSAPI */
-			  cups_anyroot, cups_expiredroot,
-			  cups_expiredcerts);
-    cupsFileClose(fp);
+			    cups_anyroot, cups_expiredroot,
+			    cups_expiredcerts, 0);
+      cupsFileClose(fp);
+    }
   }
 }
 
@@ -879,7 +899,8 @@ cups_read_client_conf(
 #endif /* HAVE_GSSAPI */
     const char	    *cups_anyroot,	/* I - CUPS_ANYROOT env var */
     const char	    *cups_expiredroot,	/* I - CUPS_EXPIREDROOT env var */
-    const char	    *cups_expiredcerts)	/* I - CUPS_EXPIREDCERTS env var */
+    const char	    *cups_expiredcerts,	/* I - CUPS_EXPIREDCERTS env var */
+    int		     ssl_options)	/* I - Allow setting of SSLOptions? */
 {
   int	linenum;			/* Current line number */
   char	line[1024],			/* Line from file */
@@ -952,6 +973,43 @@ cups_read_client_conf(
       cups_gssservicename = gss_service_name;
     }
 #endif /* HAVE_GSSAPI */
+    else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
+    {
+     /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [None]
+      */
+
+      int	options = 0;		/* SSL/TLS options */
+      char	*start,			/* Start of option */
+		*end;			/* End of option */
+
+      for (start = value; *start; start = end)
+      {
+       /*
+	* Find end of keyword...
+	*/
+
+	end = start;
+	while (*end && !_cups_isspace(*end))
+	  end++;
+
+	if (*end)
+	  *end++ = '\0';
+
+       /*
+	* Compare...
+	*/
+
+	if (!_cups_strcasecmp(start, "AllowRC4"))
+	  options |= _HTTP_TLS_ALLOW_RC4;
+	else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	  options |= _HTTP_TLS_ALLOW_SSL3;
+	else if (!_cups_strcasecmp(start, "None"))
+	  options = 0;
+      }
+
+      _httpTLSSetOptions(options);
+    }
   }
 
  /*
diff -up cups-1.6.3/doc/help/ref-client-conf.html.str4476 cups-1.6.3/doc/help/ref-client-conf.html
--- cups-1.6.3/doc/help/ref-client-conf.html.str4476	2013-06-25 15:38:12.000000000 +0100
+++ cups-1.6.3/doc/help/ref-client-conf.html	2015-06-23 14:05:39.873805409 +0100
@@ -76,6 +76,26 @@ present, only the last one is used. This
 </BLOCKQUOTE>
 
 
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+
+<H3>Examples</H3>
+
+<PRE CLASS="command">
+SSLOptions None
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
+</PRE>
+
+<H3>Description</H3>
+
+<P>Sets encryption options (only in /etc/cups/client.conf). By
+default, CUPS only supports encryption using TLS v1.0 or higher using
+known secure cipher suites. The <i>AllowRC4</i> option enables the
+128-bit RC4 cipher suites, which are required for some older clients
+that do not implement newer ones. The <i>AllowSSL3</i> option enables
+SSL v3.0, which is required for some older clients that do not support
+TLS v1.0.</P>
+
 <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.6/OS X 10.8</SPAN><A NAME="User">User</A></H2>
 
 <H3>Examples</H3>
diff -up cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 cups-1.6.3/doc/help/ref-cupsd-conf.html.in
--- cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476	2013-05-10 17:52:10.000000000 +0100
+++ cups-1.6.3/doc/help/ref-cupsd-conf.html.in	2015-06-23 14:05:39.873805409 +0100
@@ -2011,23 +2011,23 @@ SetEnv MY_ENV_VAR foo
 variable that should be passed to child processes.</P>
 
 
-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
 
 <H3>Examples</H3>
 
 <PRE CLASS="command">
-SSLListen 127.0.0.1:443
-SSLListen 192.0.2.1:443
+SSLOptions 127.0.0.1:443
+SSLOptions 192.0.2.1:443
 </PRE>
 
 <H3>Description</H3>
 
-<P>The <CODE>SSLListen</CODE> directive specifies a network
+<P>The <CODE>SSLOptions</CODE> directive specifies a network
 address and port to listen for secure connections. Multiple
-<CODE>SSLListen</CODE> directives can be provided to listen on
+<CODE>SSLOptions</CODE> directives can be provided to listen on
 multiple addresses.</P>
 
-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
+<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
 HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
 to restrict access to specific interfaces or networks.</P>
 
@@ -2039,15 +2039,22 @@ to restrict access to specific interface
 <PRE CLASS="command">
 SSLOptions None
 SSLOptions NoEmptyFragments
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
 </PRE>
 
 <H3>Description</H3>
 
 <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
-protocol options to use for encrypted connected. Currently only two
-options are supported - <code>None</code> (the default) for the most
-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
-Microsoft Windows with the FIPS conformance mode enabled.</p>
+protocol options to use for encrypted connected. By default, CUPS only
+supports encryption using TLS v1.0 or higher using known secure cipher
+suites. The <code>NoEmptyFragments</code> option allows CUPS to work
+with Microsoft Windows with the FIPS conformance mode
+enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
+cipher suites, which are required for some older clients that do not
+implement newer ones. The <code>AllowSSL3</code> option enables SSL
+v3.0, which is required for some older clients that do not support TLS
+v1.0.</p>
 
 
 <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
diff -up cups-1.6.3/man/client.conf.man.in.str4476 cups-1.6.3/man/client.conf.man.in
--- cups-1.6.3/man/client.conf.man.in.str4476	2013-06-25 15:38:12.000000000 +0100
+++ cups-1.6.3/man/client.conf.man.in	2015-06-23 14:05:39.874805401 +0100
@@ -53,6 +53,15 @@ Specifies the address and optionally the
 server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
 later.\fR
 .TP 5
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+.br
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
+RC4 cipher suites, which are required for some older clients that do
+not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
+.TP 5
 User name
 .br
 Specifies the default user name to use for requests.
diff -up cups-1.6.3/man/cupsd.conf.man.in.str4476 cups-1.6.3/man/cupsd.conf.man.in
--- cups-1.6.3/man/cupsd.conf.man.in.str4476	2015-06-23 14:04:45.278229909 +0100
+++ cups-1.6.3/man/cupsd.conf.man.in	2015-06-23 14:05:39.874805401 +0100
@@ -480,9 +480,16 @@ Listens on the specified address and por
 .TP 5
 SSLOptions None
 .TP 5
-SSLOptions NoEmptyFragments
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
 .br
-Sets SSL/TLS protocol options for encrypted connections.
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
+work with Microsoft Windows with the FIPS conformance mode
+enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
+suites, which are required for some older clients that do not
+implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
 .TP 5
 SSLPort
 .br
diff -up cups-1.6.3/scheduler/conf.c.str4476 cups-1.6.3/scheduler/conf.c
--- cups-1.6.3/scheduler/conf.c.str4476	2015-06-23 14:04:45.298229754 +0100
+++ cups-1.6.3/scheduler/conf.c	2015-06-23 14:05:39.874805401 +0100
@@ -3361,17 +3361,54 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
     else if (!_cups_strcasecmp(line, "SSLOptions"))
     {
      /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
+      */
+
+      int	options = 0;	/* SSL/TLS options */
+
+     /*
       * SSLOptions options
       */
 
-      if (!value || !_cups_strcasecmp(value, "none"))
-        SSLOptions = CUPSD_SSL_NONE;
-      else if (!_cups_strcasecmp(value, "noemptyfragments"))
-        SSLOptions = CUPSD_SSL_NOEMPTY;
-      else
-        cupsdLogMessage(CUPSD_LOG_ERROR,
-	                "Unknown value \"%s\" for SSLOptions directive on "
-			"line %d.", value, linenum);
+      if (value)
+      {
+	char	*start,		/* Start of option */
+		*end;		/* End of option */
+
+	for (start = value; *start; start = end)
+	{
+	 /*
+	  * Find end of keyword...
+	  */
+
+	  end = start;
+	  while (*end && !_cups_isspace(*end))
+	    end++;
+
+	  if (*end)
+	    *end++ = '\0';
+
+	 /*
+	  * Compare...
+	  */
+
+	  if (!_cups_strcasecmp(start, "NoEmptyFragments"))
+	    options |= CUPSD_SSL_NOEMPTY;
+	  else if (!_cups_strcasecmp(start, "AllowRC4"))
+	    options |= CUPSD_SSL_ALLOW_RC4;
+	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	    options |= CUPSD_SSL_ALLOW_SSL3;
+	  else if (!_cups_strcasecmp(start, "None"))
+	    options = 0;
+	  else
+	    cupsdLogMessage(CUPSD_LOG_ERROR,
+			    "Unknown value \"%s\" for SSLOptions directive on "
+			    "line %d.", start, linenum);
+	}
+      }
+
+      SSLOptions = options;
+      _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
     }
 #endif /* HAVE_SSL */
     else if (!_cups_strcasecmp(line, "AccessLog") ||
diff -up cups-1.6.3/scheduler/conf.h.str4476 cups-1.6.3/scheduler/conf.h
--- cups-1.6.3/scheduler/conf.h.str4476	2015-06-23 14:04:45.298229754 +0100
+++ cups-1.6.3/scheduler/conf.h	2015-06-23 14:05:39.874805401 +0100
@@ -78,6 +78,8 @@ typedef enum
 
 #define CUPSD_SSL_NONE		0	/* No special options */
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
+#define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
+#define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
 
 
 /*
diff -up cups-1.6.3/scheduler/tls-gnutls.c.str4476 cups-1.6.3/scheduler/tls-gnutls.c
--- cups-1.6.3/scheduler/tls-gnutls.c.str4476	2013-06-07 02:12:52.000000000 +0100
+++ cups-1.6.3/scheduler/tls-gnutls.c	2015-06-23 14:05:39.874805401 +0100
@@ -114,7 +114,15 @@ cupsdStartTLS(cupsd_client_t *con)	/* I
 				       ServerKey, GNUTLS_X509_FMT_PEM);
 
   gnutls_init(&con->http.tls, GNUTLS_SERVER);
-  gnutls_set_default_priority(con->http.tls);
+  if (!SSLOptions)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
+	   (SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
+  else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
 
   gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
   gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));
diff -up cups-1.6.3/scheduler/tls-openssl.c.str4476 cups-1.6.3/scheduler/tls-openssl.c
--- cups-1.6.3/scheduler/tls-openssl.c.str4476	2013-06-07 02:12:52.000000000 +0100
+++ cups-1.6.3/scheduler/tls-openssl.c	2015-06-23 14:05:39.875805393 +0100
@@ -107,6 +107,10 @@ cupsdStartTLS(cupsd_client_t *con)	/* I
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
   if (SSLOptions & CUPSD_SSL_NOEMPTY)
     SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);