Re-introduce SSLOptions configuration directive, disable SSL3 by default (STR #4476).
This commit is contained in:
parent
3b2095db5b
commit
663d26f200
599
cups-str4476.patch
Normal file
599
cups-str4476.patch
Normal file
@ -0,0 +1,599 @@
|
|||||||
|
diff -up cups-2.0.0/cups/http-private.h.str4476 cups-2.0.0/cups/http-private.h
|
||||||
|
--- cups-2.0.0/cups/http-private.h.str4476 2014-08-28 17:02:00.000000000 +0100
|
||||||
|
+++ cups-2.0.0/cups/http-private.h 2014-11-07 08:56:53.793831198 +0000
|
||||||
|
@@ -161,6 +161,9 @@ extern "C" {
|
||||||
|
#define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
|
||||||
|
#define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
|
||||||
|
|
||||||
|
+#define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
|
||||||
|
+#define _HTTP_TLS_ALLOW_SSL3 1 /* Allow SSL 3.0 */
|
||||||
|
+
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Types and functions for SSL support...
|
||||||
|
@@ -420,6 +423,7 @@ extern void _httpTLSInitialize(void);
|
||||||
|
extern size_t _httpTLSPending(http_t *http);
|
||||||
|
extern int _httpTLSRead(http_t *http, char *buf, int len);
|
||||||
|
extern int _httpTLSSetCredentials(http_t *http);
|
||||||
|
+extern void _httpTLSSetOptions(int options);
|
||||||
|
extern int _httpTLSStart(http_t *http);
|
||||||
|
extern void _httpTLSStop(http_t *http);
|
||||||
|
extern int _httpTLSWrite(http_t *http, const char *buf, int len);
|
||||||
|
diff -up cups-2.0.0/cups/tls-darwin.c.str4476 cups-2.0.0/cups/tls-darwin.c
|
||||||
|
--- cups-2.0.0/cups/tls-darwin.c.str4476 2014-09-23 15:56:14.000000000 +0100
|
||||||
|
+++ cups-2.0.0/cups/tls-darwin.c 2014-11-07 08:56:53.791831189 +0000
|
||||||
|
@@ -27,6 +27,14 @@ extern char **environ;
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Test define - set to 1 to use SSLSetEnabledCiphers. Currently disabled (0)
|
||||||
|
+ * because of <rdar://problem/18707430>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#define USE_SET_ENABLED_CIPHERS 0
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Local globals...
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -41,6 +49,7 @@ static char *tls_keypath = NULL;
|
||||||
|
/* Server cert keychain path */
|
||||||
|
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
||||||
|
/* Mutex for keychain/certs */
|
||||||
|
+static int tls_options = 0;/* Options for TLS connections */
|
||||||
|
#endif /* HAVE_SECKEYCHAINOPEN */
|
||||||
|
|
||||||
|
|
||||||
|
@@ -973,6 +982,17 @@ _httpTLSRead(http_t *http, /* I - HTTP
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+_httpTLSSetOptions(int options) /* I - Options */
|
||||||
|
+{
|
||||||
|
+ tls_options = options;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -1033,9 +1053,108 @@ _httpTLSStart(http_t *http) /* I - HTTP
|
||||||
|
{
|
||||||
|
error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnServerAuth,
|
||||||
|
true);
|
||||||
|
- DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d",
|
||||||
|
- (int)error));
|
||||||
|
+ DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", (int)error));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!error)
|
||||||
|
+ {
|
||||||
|
+ error = SSLSetProtocolVersionMin(http->tls, (tls_options & _HTTP_TLS_ALLOW_SSL3) ? kSSLProtocol3 : kTLSProtocol1);
|
||||||
|
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin, error=%d", (int)error));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+# if USE_SET_ENABLED_CIPHERS
|
||||||
|
+ if (!error)
|
||||||
|
+ {
|
||||||
|
+ SSLCipherSuite supported[100]; /* Supported cipher suites */
|
||||||
|
+ size_t num_supported; /* Number of supported cipher suites */
|
||||||
|
+ SSLCipherSuite enabled[100]; /* Cipher suites to enable */
|
||||||
|
+ size_t num_enabled; /* Number of cipher suites to enable */
|
||||||
|
+
|
||||||
|
+ num_supported = sizeof(supported) / sizeof(supported[0]);
|
||||||
|
+ error = SSLGetSupportedCiphers(http->tls, supported, &num_supported);
|
||||||
|
+
|
||||||
|
+ if (!error)
|
||||||
|
+ {
|
||||||
|
+ DEBUG_printf(("4_httpTLSStart: %d cipher suites supported.", (int)num_supported));
|
||||||
|
+
|
||||||
|
+ for (i = 0, num_enabled = 0; i < (int)num_supported && num_enabled < (sizeof(enabled) / sizeof(enabled[0])); i ++)
|
||||||
|
+ {
|
||||||
|
+ switch (supported[i])
|
||||||
|
+ {
|
||||||
|
+ /* Obviously insecure cipher suites that we never want to use */
|
||||||
|
+ case SSL_NULL_WITH_NULL_NULL :
|
||||||
|
+ case SSL_RSA_WITH_NULL_MD5 :
|
||||||
|
+ case SSL_RSA_WITH_NULL_SHA :
|
||||||
|
+ case SSL_RSA_EXPORT_WITH_RC4_40_MD5 :
|
||||||
|
+ case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 :
|
||||||
|
+ case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_RSA_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_DH_DSS_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_DH_RSA_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_DHE_DSS_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_DHE_RSA_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 :
|
||||||
|
+ case SSL_DH_anon_WITH_RC4_128_MD5 :
|
||||||
|
+ case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA :
|
||||||
|
+ case SSL_DH_anon_WITH_DES_CBC_SHA :
|
||||||
|
+ case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA :
|
||||||
|
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA :
|
||||||
|
+ case TLS_ECDH_ECDSA_WITH_NULL_SHA :
|
||||||
|
+ case TLS_ECDHE_RSA_WITH_NULL_SHA :
|
||||||
|
+ case TLS_ECDH_anon_WITH_NULL_SHA :
|
||||||
|
+ case TLS_ECDH_anon_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA :
|
||||||
|
+ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA :
|
||||||
|
+ case TLS_ECDH_anon_WITH_AES_256_CBC_SHA :
|
||||||
|
+ case TLS_RSA_WITH_NULL_SHA256 :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA256 :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA256 :
|
||||||
|
+ case TLS_PSK_WITH_NULL_SHA :
|
||||||
|
+ case TLS_DHE_PSK_WITH_NULL_SHA :
|
||||||
|
+ case TLS_RSA_PSK_WITH_NULL_SHA :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_128_GCM_SHA256 :
|
||||||
|
+ case TLS_DH_anon_WITH_AES_256_GCM_SHA384 :
|
||||||
|
+ case TLS_PSK_WITH_NULL_SHA256 :
|
||||||
|
+ case TLS_PSK_WITH_NULL_SHA384 :
|
||||||
|
+ case TLS_DHE_PSK_WITH_NULL_SHA256 :
|
||||||
|
+ case TLS_DHE_PSK_WITH_NULL_SHA384 :
|
||||||
|
+ case TLS_RSA_PSK_WITH_NULL_SHA256 :
|
||||||
|
+ case TLS_RSA_PSK_WITH_NULL_SHA384 :
|
||||||
|
+ case SSL_RSA_WITH_DES_CBC_MD5 :
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ /* RC4 cipher suites that should only be used as a last resort */
|
||||||
|
+ case SSL_RSA_WITH_RC4_128_MD5 :
|
||||||
|
+ case SSL_RSA_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_ECDH_RSA_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_PSK_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_DHE_PSK_WITH_RC4_128_SHA :
|
||||||
|
+ case TLS_RSA_PSK_WITH_RC4_128_SHA :
|
||||||
|
+ if (tls_options & _HTTP_TLS_ALLOW_RC4)
|
||||||
|
+ enabled[num_enabled ++] = supported[i];
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ /* Anything else we'll assume is secure */
|
||||||
|
+ default :
|
||||||
|
+ enabled[num_enabled ++] = supported[i];
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DEBUG_printf(("4_httpTLSStart: %d cipher suites enabled.", (int)num_enabled));
|
||||||
|
+ error = SSLSetEnabledCiphers(http->tls, enabled, num_enabled);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+#endif /* USE_SET_ENABLED_CIPHERS */
|
||||||
|
|
||||||
|
if (!error && http->mode == _HTTP_MODE_CLIENT)
|
||||||
|
{
|
||||||
|
diff -up cups-2.0.0/cups/tls-gnutls.c.str4476 cups-2.0.0/cups/tls-gnutls.c
|
||||||
|
--- cups-2.0.0/cups/tls-gnutls.c.str4476 2014-09-23 15:56:14.000000000 +0100
|
||||||
|
+++ cups-2.0.0/cups/tls-gnutls.c 2014-11-07 08:56:53.792831194 +0000
|
||||||
|
@@ -36,6 +36,7 @@ static char *tls_keypath = NULL;
|
||||||
|
/* Server cert keychain path */
|
||||||
|
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
||||||
|
/* Mutex for keychain/certs */
|
||||||
|
+static int tls_options = 0;/* Options for TLS connections */
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1002,6 +1003,17 @@ _httpTLSSetCredentials(http_t *http) /*
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+_httpTLSSetOptions(int options) /* I - Options */
|
||||||
|
+{
|
||||||
|
+ tls_options = options;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -1185,6 +1197,15 @@ _httpTLSStart(http_t *http) /* I - Conn
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!tls_options)
|
||||||
|
+ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
|
||||||
|
+ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && (tls_options & _HTTP_TLS_ALLOW_RC4))
|
||||||
|
+ gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
|
||||||
|
+ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||||
|
+ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL", NULL);
|
||||||
|
+ else
|
||||||
|
+ gnutls_priority_set_direct(http->tls, "NORMAL:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
|
||||||
|
+
|
||||||
|
gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
|
||||||
|
gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
|
||||||
|
#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
|
||||||
|
diff -up cups-2.0.0/cups/tls-sspi.c.str4476 cups-2.0.0/cups/tls-sspi.c
|
||||||
|
--- cups-2.0.0/cups/tls-sspi.c.str4476 2014-09-23 15:56:14.000000000 +0100
|
||||||
|
+++ cups-2.0.0/cups/tls-sspi.c 2014-11-07 08:56:53.790831185 +0000
|
||||||
|
@@ -1,7 +1,8 @@
|
||||||
|
/*
|
||||||
|
* "$Id: tls-sspi.c 12159 2014-09-23 14:56:14Z msweet $"
|
||||||
|
*
|
||||||
|
- * TLS support for CUPS on Windows using SSPI.
|
||||||
|
+ * TLS support for CUPS on Windows using the Security Support Provider
|
||||||
|
+ * Interface (SSPI).
|
||||||
|
*
|
||||||
|
* Copyright 2010-2014 by Apple Inc.
|
||||||
|
*
|
||||||
|
@@ -48,6 +49,14 @@
|
||||||
|
# define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00002000 /* Expired X509 Cert. */
|
||||||
|
#endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */
|
||||||
|
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Local globals...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static int tls_options = 0;/* Options for TLS connections */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Local functions...
|
||||||
|
*/
|
||||||
|
@@ -897,6 +906,17 @@ _httpTLSRead(http_t *http, /* I - HTTP
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+_httpTLSSetOptions(int options) /* I - Options */
|
||||||
|
+{
|
||||||
|
+ tls_options = options;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -1727,11 +1747,43 @@ http_sspi_find_credentials(
|
||||||
|
SchannelCred.paCred = &storedContext;
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * SSPI doesn't seem to like it if grbitEnabledProtocols is set for a client.
|
||||||
|
+ * Set supported protocols (can also be overriden in the registry...)
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#ifdef SP_PROT_TLS1_2_SERVER
|
||||||
|
if (http->mode == _HTTP_MODE_SERVER)
|
||||||
|
- SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3TLS1;
|
||||||
|
+ {
|
||||||
|
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER;
|
||||||
|
+ else
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT;
|
||||||
|
+ else
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#else
|
||||||
|
+ if (http->mode == _HTTP_MODE_SERVER)
|
||||||
|
+ {
|
||||||
|
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
|
||||||
|
+ else
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
|
||||||
|
+ else
|
||||||
|
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
|
||||||
|
+ }
|
||||||
|
+#endif /* SP_PROT_TLS1_2_SERVER */
|
||||||
|
+
|
||||||
|
+ /* TODO: Support _HTTP_TLS_ALLOW_RC4 option; right now we'll rely on Windows registry to enable/disable RC4... */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Create an SSPI credential.
|
||||||
|
diff -up cups-2.0.0/cups/usersys.c.str4476 cups-2.0.0/cups/usersys.c
|
||||||
|
--- cups-2.0.0/cups/usersys.c.str4476 2014-08-28 16:37:22.000000000 +0100
|
||||||
|
+++ cups-2.0.0/cups/usersys.c 2014-11-07 08:56:53.791831189 +0000
|
||||||
|
@@ -52,7 +52,8 @@ static void cups_read_client_conf(cups_f
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
const char *cups_anyroot,
|
||||||
|
const char *cups_expiredcerts,
|
||||||
|
- const char *cups_validatecerts);
|
||||||
|
+ const char *cups_validatecerts,
|
||||||
|
+ int ssl_options);
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -863,6 +864,30 @@ _cupsSetDefaults(void)
|
||||||
|
if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
|
||||||
|
!cg->user[0] || !cg->ipp_port)
|
||||||
|
{
|
||||||
|
+ /*
|
||||||
|
+ * Look for CUPS_SERVERROOT/client.conf...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ snprintf(filename, sizeof(filename), "%s/client.conf",
|
||||||
|
+ cg->cups_serverroot);
|
||||||
|
+ fp = cupsFileOpen(filename, "r");
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Read the configuration file and apply any environment variables; both
|
||||||
|
+ * functions handle NULL cups_file_t pointers...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
||||||
|
+#ifdef HAVE_GSSAPI
|
||||||
|
+ cups_gssservicename,
|
||||||
|
+#endif /* HAVE_GSSAPI */
|
||||||
|
+ cups_anyroot, cups_expiredcerts, cups_validatecerts, 1);
|
||||||
|
+ cupsFileClose(fp);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Then user defaults, if it is safe to do so...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
# ifdef HAVE_GETEUID
|
||||||
|
if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
|
||||||
|
# elif !defined(WIN32)
|
||||||
|
@@ -877,32 +902,19 @@ _cupsSetDefaults(void)
|
||||||
|
|
||||||
|
snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
|
||||||
|
fp = cupsFileOpen(filename, "r");
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- fp = NULL;
|
||||||
|
|
||||||
|
- if (!fp)
|
||||||
|
- {
|
||||||
|
/*
|
||||||
|
- * Look for CUPS_SERVERROOT/client.conf...
|
||||||
|
+ * Read the configuration file and apply any environment variables; both
|
||||||
|
+ * functions handle NULL cups_file_t pointers...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- snprintf(filename, sizeof(filename), "%s/client.conf",
|
||||||
|
- cg->cups_serverroot);
|
||||||
|
- fp = cupsFileOpen(filename, "r");
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Read the configuration file and apply any environment variables; both
|
||||||
|
- * functions handle NULL cups_file_t pointers...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
||||||
|
+ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
|
||||||
|
#ifdef HAVE_GSSAPI
|
||||||
|
- cups_gssservicename,
|
||||||
|
+ cups_gssservicename,
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
- cups_anyroot, cups_expiredcerts, cups_validatecerts);
|
||||||
|
- cupsFileClose(fp);
|
||||||
|
+ cups_anyroot, cups_expiredcerts, cups_validatecerts, 0);
|
||||||
|
+ cupsFileClose(fp);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -924,7 +936,8 @@ cups_read_client_conf(
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
|
||||||
|
const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
|
||||||
|
- const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */
|
||||||
|
+ const char *cups_validatecerts,/* I - CUPS_VALIDATECERTS env var */
|
||||||
|
+ int ssl_options) /* I - Allow setting of SSLOptions? */
|
||||||
|
{
|
||||||
|
int linenum; /* Current line number */
|
||||||
|
char line[1024], /* Line from file */
|
||||||
|
@@ -996,6 +1009,43 @@ cups_read_client_conf(
|
||||||
|
cups_gssservicename = gss_service_name;
|
||||||
|
}
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
+ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * SSLOptions [AllowRC4] [AllowSSL3] [None]
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ int options = 0; /* SSL/TLS options */
|
||||||
|
+ char *start, /* Start of option */
|
||||||
|
+ *end; /* End of option */
|
||||||
|
+
|
||||||
|
+ for (start = value; *start; start = end)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * Find end of keyword...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ end = start;
|
||||||
|
+ while (*end && !_cups_isspace(*end))
|
||||||
|
+ end ++;
|
||||||
|
+
|
||||||
|
+ if (*end)
|
||||||
|
+ *end++ = '\0';
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Compare...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (!_cups_strcasecmp(start, "AllowRC4"))
|
||||||
|
+ options |= _HTTP_TLS_ALLOW_RC4;
|
||||||
|
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
||||||
|
+ options |= _HTTP_TLS_ALLOW_SSL3;
|
||||||
|
+ else if (!_cups_strcasecmp(start, "None"))
|
||||||
|
+ options = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ _httpTLSSetOptions(options);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -up cups-2.0.0/doc/help/man-client.conf.html.str4476 cups-2.0.0/doc/help/man-client.conf.html
|
||||||
|
--- cups-2.0.0/doc/help/man-client.conf.html.str4476 2014-05-23 03:45:48.000000000 +0100
|
||||||
|
+++ cups-2.0.0/doc/help/man-client.conf.html 2014-11-07 08:56:53.787831171 +0000
|
||||||
|
@@ -38,6 +38,12 @@ CUPS adds the remote hostname ("name@ser
|
||||||
|
<b>Note: This directive it not supported on OS X 10.7 or later.</b>
|
||||||
|
<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
|
||||||
|
<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
|
||||||
|
+<dt><b>SSLOptions </b>[<i>AllowRC4</i>] [<i>AllowSSL3</i>]
|
||||||
|
+<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
|
||||||
|
+<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
|
||||||
|
+By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
||||||
|
+The <i>AllowRC4</i> option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
|
||||||
|
+The <i>AllowSSL3</i> option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||||
|
<dt><b>User </b><i>name</i>
|
||||||
|
<dd style="margin-left: 5.0em">Specifies the default user name to use for requests.
|
||||||
|
<dt><b>ValidateCerts Yes</b>
|
||||||
|
diff -up cups-2.0.0/doc/help/man-cupsd.conf.html.str4476 cups-2.0.0/doc/help/man-cupsd.conf.html
|
||||||
|
--- cups-2.0.0/doc/help/man-cupsd.conf.html.str4476 2014-07-31 01:58:00.000000000 +0100
|
||||||
|
+++ cups-2.0.0/doc/help/man-cupsd.conf.html 2014-11-07 08:56:53.788831175 +0000
|
||||||
|
@@ -303,6 +303,12 @@ The default is "Minimal".
|
||||||
|
<dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
|
||||||
|
<dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
|
||||||
|
<dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
|
||||||
|
+<dt><b>SSLOptions </b>[<i>AllowRC4</i>] [<i>AllowSSL3</i>]
|
||||||
|
+<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
|
||||||
|
+<dd style="margin-left: 5.0em">Sets encryption options.
|
||||||
|
+By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
||||||
|
+The <i>AllowRC4</i> option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
|
||||||
|
+The <i>AllowSSL3</i> option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||||
|
<dt><b>SSLPort </b><i>port</i>
|
||||||
|
<dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
|
||||||
|
<dt><b>StrictConformance Yes</b>
|
||||||
|
diff -up cups-2.0.0/man/client.conf.man.in.str4476 cups-2.0.0/man/client.conf.man.in
|
||||||
|
--- cups-2.0.0/man/client.conf.man.in.str4476 2014-05-08 00:55:35.000000000 +0100
|
||||||
|
+++ cups-2.0.0/man/client.conf.man.in 2014-11-07 08:56:53.794831203 +0000
|
||||||
|
@@ -12,7 +12,7 @@
|
||||||
|
.\" which should have been included with this file. If this file is
|
||||||
|
.\" file is missing or damaged, see the license at "http://www.cups.org/".
|
||||||
|
.\"
|
||||||
|
-.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc."
|
||||||
|
+.TH client.conf 5 "CUPS" "20 October 2014" "Apple Inc."
|
||||||
|
.SH NAME
|
||||||
|
client.conf \- client configuration file for cups (deprecated)
|
||||||
|
.SH DESCRIPTION
|
||||||
|
@@ -56,6 +56,14 @@ Specifies the address and optionally the
|
||||||
|
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
|
||||||
|
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
|
||||||
|
.TP 5
|
||||||
|
+\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR]
|
||||||
|
+.TP 5
|
||||||
|
+\fBSSLOptions None\fR
|
||||||
|
+Sets encryption options (only in /etc/cups/client.conf).
|
||||||
|
+By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
||||||
|
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
|
||||||
|
+The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||||
|
+.TP 5
|
||||||
|
\fBUser \fIname\fR
|
||||||
|
Specifies the default user name to use for requests.
|
||||||
|
.TP 5
|
||||||
|
diff -up cups-2.0.0/man/cupsd.conf.man.in.str4476 cups-2.0.0/man/cupsd.conf.man.in
|
||||||
|
--- cups-2.0.0/man/cupsd.conf.man.in.str4476 2014-07-28 15:04:32.000000000 +0100
|
||||||
|
+++ cups-2.0.0/man/cupsd.conf.man.in 2014-11-07 08:56:53.794831203 +0000
|
||||||
|
@@ -12,7 +12,7 @@
|
||||||
|
.\" which should have been included with this file. If this file is
|
||||||
|
.\" file is missing or damaged, see the license at "http://www.cups.org/".
|
||||||
|
.\"
|
||||||
|
-.TH cupsd.conf 5 "CUPS" "28 July 2014" "Apple Inc."
|
||||||
|
+.TH cupsd.conf 5 "CUPS" "20 October 2014" "Apple Inc."
|
||||||
|
.SH NAME
|
||||||
|
cupsd.conf \- server configuration file for cups
|
||||||
|
.SH DESCRIPTION
|
||||||
|
@@ -415,6 +415,14 @@ Set the specified environment variable t
|
||||||
|
\fBSSLListen *:\fIport\fR
|
||||||
|
Listens on the specified address and port for encrypted connections.
|
||||||
|
.TP 5
|
||||||
|
+\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR]
|
||||||
|
+.TP 5
|
||||||
|
+\fBSSLOptions None\fR
|
||||||
|
+Sets encryption options.
|
||||||
|
+By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
||||||
|
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
|
||||||
|
+The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||||
|
+.TP 5
|
||||||
|
\fBSSLPort \fIport\fR
|
||||||
|
Listens on the specified port for encrypted connections.
|
||||||
|
.TP 5
|
||||||
|
diff -up cups-2.0.0/scheduler/conf.c.str4476 cups-2.0.0/scheduler/conf.c
|
||||||
|
--- cups-2.0.0/scheduler/conf.c.str4476 2014-09-30 19:56:48.000000000 +0100
|
||||||
|
+++ cups-2.0.0/scheduler/conf.c 2014-11-07 08:56:53.796831212 +0000
|
||||||
|
@@ -596,6 +596,8 @@ cupsdReadConfiguration(void)
|
||||||
|
# else
|
||||||
|
cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain");
|
||||||
|
# endif /* HAVE_GNUTLS */
|
||||||
|
+
|
||||||
|
+ _httpTLSSetOptions(0);
|
||||||
|
#endif /* HAVE_SSL */
|
||||||
|
|
||||||
|
language = cupsLangDefault();
|
||||||
|
@@ -2929,6 +2931,49 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||||
|
"FaxRetryLimit is deprecated; use "
|
||||||
|
"JobRetryLimit on line %d.", linenum);
|
||||||
|
}
|
||||||
|
+ else if (!_cups_strcasecmp(line, "SSLOptions"))
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * SSLOptions [AllowRC4] [AllowSSL3] [None]
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ int options = 0; /* SSL/TLS options */
|
||||||
|
+
|
||||||
|
+ if (value)
|
||||||
|
+ {
|
||||||
|
+ char *start, /* Start of option */
|
||||||
|
+ *end; /* End of option */
|
||||||
|
+
|
||||||
|
+ for (start = value; *start; start = end)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * Find end of keyword...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ end = start;
|
||||||
|
+ while (*end && !_cups_isspace(*end))
|
||||||
|
+ end ++;
|
||||||
|
+
|
||||||
|
+ if (*end)
|
||||||
|
+ *end++ = '\0';
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Compare...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (!_cups_strcasecmp(start, "AllowRC4"))
|
||||||
|
+ options |= _HTTP_TLS_ALLOW_RC4;
|
||||||
|
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
||||||
|
+ options |= _HTTP_TLS_ALLOW_SSL3;
|
||||||
|
+ else if (!_cups_strcasecmp(start, "None"))
|
||||||
|
+ options = 0;
|
||||||
|
+ else if (_cups_strcasecmp(start, "NoEmptyFragments"))
|
||||||
|
+ cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ _httpTLSSetOptions(options);
|
||||||
|
+ }
|
||||||
|
else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
|
||||||
|
#ifdef HAVE_SSL
|
||||||
|
|| !_cups_strcasecmp(line, "SSLPort") || !_cups_strcasecmp(line, "SSLListen")
|
@ -30,7 +30,7 @@ Source8: macros.cups
|
|||||||
Patch1: cups-no-gzip-man.patch
|
Patch1: cups-no-gzip-man.patch
|
||||||
Patch2: cups-system-auth.patch
|
Patch2: cups-system-auth.patch
|
||||||
Patch3: cups-multilib.patch
|
Patch3: cups-multilib.patch
|
||||||
|
Patch4: cups-str4476.patch
|
||||||
Patch5: cups-banners.patch
|
Patch5: cups-banners.patch
|
||||||
Patch6: cups-serverbin-compat.patch
|
Patch6: cups-serverbin-compat.patch
|
||||||
Patch7: cups-no-export-ssllibs.patch
|
Patch7: cups-no-export-ssllibs.patch
|
||||||
@ -196,7 +196,9 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||||||
%patch2 -p1 -b .system-auth
|
%patch2 -p1 -b .system-auth
|
||||||
# Prevent multilib conflict in cups-config script.
|
# Prevent multilib conflict in cups-config script.
|
||||||
%patch3 -p1 -b .multilib
|
%patch3 -p1 -b .multilib
|
||||||
|
# Re-introduce SSLOptions configuration directive, disable SSL3 by
|
||||||
|
# default (STR #4476).
|
||||||
|
%patch4 -p1 -b .str4476
|
||||||
# Ignore rpm save/new files in the banners directory.
|
# Ignore rpm save/new files in the banners directory.
|
||||||
%patch5 -p1 -b .banners
|
%patch5 -p1 -b .banners
|
||||||
# Use compatibility fallback path for ServerBin.
|
# Use compatibility fallback path for ServerBin.
|
||||||
@ -617,6 +619,8 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Nov 7 2014 Tim Waugh <twaugh@redhat.com> - 1:2.0.0-12
|
* Fri Nov 7 2014 Tim Waugh <twaugh@redhat.com> - 1:2.0.0-12
|
||||||
|
- Re-introduce SSLOptions configuration directive, disable SSL3 by
|
||||||
|
default (STR #4476).
|
||||||
- Enable SSL again via GnuTLS (bug #1161235).
|
- Enable SSL again via GnuTLS (bug #1161235).
|
||||||
|
|
||||||
* Thu Nov 6 2014 Tim Waugh <twaugh@redhat.com> - 1:2.0.0-11
|
* Thu Nov 6 2014 Tim Waugh <twaugh@redhat.com> - 1:2.0.0-11
|
||||||
|
Loading…
Reference in New Issue
Block a user