diff -up cups-1.6.3/cups/http.c.tlsv12 cups-1.6.3/cups/http.c --- cups-1.6.3/cups/http.c.tlsv12 2017-12-12 14:40:02.672393885 +0100 +++ cups-1.6.3/cups/http.c 2017-12-12 16:45:11.417535244 +0100 @@ -3726,6 +3726,8 @@ http_send(http_t *http, /* I - Con httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade"); if (tls_options & _HTTP_TLS_ALLOW_SSL3) httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0"); + else if (tls_options & _HTTP_TLS_MIN_TLS12) + httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+"); else httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0"); } @@ -3968,6 +3970,8 @@ http_setup_ssl(http_t *http) /* I - Con SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */ if (!(tls_options & _HTTP_TLS_ALLOW_RC4)) SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4"); + if (tls_options & _HTTP_TLS_MIN_TLS12) + SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1"); bio = BIO_new(_httpBIOMethods()); BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http); @@ -4453,6 +4457,8 @@ http_upgrade(http_t *http) /* I - Conne httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade"); if (tls_options & _HTTP_TLS_ALLOW_SSL3) httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0"); + else if (tls_options & _HTTP_TLS_MIN_TLS12) + httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+"); else httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0"); diff -up cups-1.6.3/cups/http-private.h.tlsv12 cups-1.6.3/cups/http-private.h --- cups-1.6.3/cups/http-private.h.tlsv12 2017-12-12 14:40:02.642394135 +0100 +++ cups-1.6.3/cups/http-private.h 2017-12-12 14:40:02.689393744 +0100 @@ -143,6 +143,7 @@ extern "C" { /* care - these should be the same values as the CUPSD_SSL_* equivalents */ #define _HTTP_TLS_ALLOW_RC4 2 #define _HTTP_TLS_ALLOW_SSL3 4 +#define _HTTP_TLS_MIN_TLS12 8 /* diff -up cups-1.6.3/cups/usersys.c.tlsv12 cups-1.6.3/cups/usersys.c --- cups-1.6.3/cups/usersys.c.tlsv12 2017-12-12 14:40:02.676393852 +0100 +++ cups-1.6.3/cups/usersys.c 2017-12-12 14:40:02.689393744 +0100 @@ -992,7 +992,7 @@ cups_read_client_conf( else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value) { /* - * SSLOptions [AllowRC4] [AllowSSL3] [None] + * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [None] */ int options = 0; /* SSL/TLS options */ @@ -1020,6 +1020,8 @@ cups_read_client_conf( options |= _HTTP_TLS_ALLOW_RC4; else if (!_cups_strcasecmp(start, "AllowSSL3")) options |= _HTTP_TLS_ALLOW_SSL3; + else if (!_cups_strcasecmp(start, "MinTLS1.2")) + options |= _HTTP_TLS_MIN_TLS12; else if (!_cups_strcasecmp(start, "None")) options = 0; } diff -up cups-1.6.3/man/client.conf.man.in.tlsv12 cups-1.6.3/man/client.conf.man.in --- cups-1.6.3/man/client.conf.man.in.tlsv12 2017-12-12 14:40:02.643394126 +0100 +++ cups-1.6.3/man/client.conf.man.in 2017-12-14 12:51:09.366872384 +0100 @@ -53,14 +53,15 @@ Specifies the address and optionally the server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or later.\fR .TP 5 -SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] +SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR] .br Sets SSL/TLS protocol options for encrypted connections. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, -which is required for some older clients that do not support TLS v1.0. +which is required for some older clients that do not support TLS v1.0. +The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher. .TP 5 User name .br diff -up cups-1.6.3/man/cupsd.conf.man.in.tlsv12 cups-1.6.3/man/cupsd.conf.man.in --- cups-1.6.3/man/cupsd.conf.man.in.tlsv12 2017-12-14 12:42:34.233473538 +0100 +++ cups-1.6.3/man/cupsd.conf.man.in 2017-12-14 12:51:09.327872724 +0100 @@ -480,7 +480,7 @@ Listens on the specified address and por .TP 5 SSLOptions None .TP 5 -SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] +SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR] .br Sets SSL/TLS protocol options for encrypted connections. By default, CUPS only supports encryption using TLS v1.0 or higher using known @@ -490,6 +490,7 @@ enabled. The \fIAllowRC4\fR option enabl suites, which are required for some older clients that do not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher. .TP 5 SSLPort .br diff -up cups-1.6.3/scheduler/client.c.tlsv12 cups-1.6.3/scheduler/client.c --- cups-1.6.3/scheduler/client.c.tlsv12 2017-12-12 15:18:01.683589773 +0100 +++ cups-1.6.3/scheduler/client.c 2017-12-12 16:44:38.721796794 +0100 @@ -1189,7 +1189,11 @@ cupsdReadClient(cupsd_client_t *con) /* } httpPrintf(HTTP(con), "Connection: Upgrade\r\n"); - httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n"); + if ((SSLOptions & CUPSD_SSL_MIN_TLS12) || + !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+")) + httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n"); + else + httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n"); httpPrintf(HTTP(con), "Content-Length: 0\r\n"); httpPrintf(HTTP(con), "\r\n"); @@ -1263,7 +1268,11 @@ cupsdReadClient(cupsd_client_t *con) /* } httpPrintf(HTTP(con), "Connection: Upgrade\r\n"); - httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n"); + if ((SSLOptions & CUPSD_SSL_MIN_TLS12) || + !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+")) + httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n"); + else + httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n"); httpPrintf(HTTP(con), "Content-Length: 0\r\n"); httpPrintf(HTTP(con), "\r\n"); diff -up cups-1.6.3/scheduler/conf.c.tlsv12 cups-1.6.3/scheduler/conf.c --- cups-1.6.3/scheduler/conf.c.tlsv12 2017-12-12 14:40:02.681393811 +0100 +++ cups-1.6.3/scheduler/conf.c 2017-12-12 14:40:02.689393744 +0100 @@ -3383,7 +3383,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - else if (!_cups_strcasecmp(line, "SSLOptions")) { /* - * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None] + * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [NoEmptyFragments] [None] */ int options = 0; /* SSL/TLS options */ @@ -3420,6 +3420,8 @@ read_cupsd_conf(cups_file_t *fp) /* I - options |= CUPSD_SSL_ALLOW_RC4; else if (!_cups_strcasecmp(start, "AllowSSL3")) options |= CUPSD_SSL_ALLOW_SSL3; + else if (!_cups_strcasecmp(start, "MinTLS1.2")) + options |= CUPSD_SSL_MIN_TLS12; else if (!_cups_strcasecmp(start, "None")) options = 0; else diff -up cups-1.6.3/scheduler/conf.h.tlsv12 cups-1.6.3/scheduler/conf.h --- cups-1.6.3/scheduler/conf.h.tlsv12 2017-12-12 14:40:02.681393811 +0100 +++ cups-1.6.3/scheduler/conf.h 2017-12-12 14:40:02.690393736 +0100 @@ -80,7 +80,7 @@ typedef enum #define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */ #define CUPSD_SSL_ALLOW_RC4 2 /* Allow RC4 cipher suites */ #define CUPSD_SSL_ALLOW_SSL3 4 /* Allow SSL 3.0 */ - +#define CUPSD_SSL_MIN_TLS12 8 /* Deny TLS 1.1 */ /* * ServerAlias data... diff -up cups-1.6.3/scheduler/tls-openssl.c.tlsv12 cups-1.6.3/scheduler/tls-openssl.c --- cups-1.6.3/scheduler/tls-openssl.c.tlsv12 2017-12-12 14:40:02.645394110 +0100 +++ cups-1.6.3/scheduler/tls-openssl.c 2017-12-12 16:49:10.357623844 +0100 @@ -111,6 +111,9 @@ cupsdStartTLS(cupsd_client_t *con) /* I SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */ if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4)) SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4"); + if ((SSLOptions & CUPSD_SSL_MIN_TLS12) || + !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+")) + SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1"); SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM); SSL_CTX_use_certificate_chain_file(context, ServerCertificate);