diff --git a/cups-str4476.patch b/cups-str4476.patch new file mode 100644 index 0000000..a7a28bf --- /dev/null +++ b/cups-str4476.patch @@ -0,0 +1,599 @@ +diff -up cups-2.0.0/cups/http-private.h.str4476 cups-2.0.0/cups/http-private.h +--- cups-2.0.0/cups/http-private.h.str4476 2014-08-28 17:02:00.000000000 +0100 ++++ cups-2.0.0/cups/http-private.h 2014-11-07 08:56:53.793831198 +0000 +@@ -161,6 +161,9 @@ extern "C" { + #define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */ + #define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */ + ++#define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ ++#define _HTTP_TLS_ALLOW_SSL3 1 /* Allow SSL 3.0 */ ++ + + /* + * Types and functions for SSL support... +@@ -420,6 +423,7 @@ extern void _httpTLSInitialize(void); + extern size_t _httpTLSPending(http_t *http); + extern int _httpTLSRead(http_t *http, char *buf, int len); + extern int _httpTLSSetCredentials(http_t *http); ++extern void _httpTLSSetOptions(int options); + extern int _httpTLSStart(http_t *http); + extern void _httpTLSStop(http_t *http); + extern int _httpTLSWrite(http_t *http, const char *buf, int len); +diff -up cups-2.0.0/cups/tls-darwin.c.str4476 cups-2.0.0/cups/tls-darwin.c +--- cups-2.0.0/cups/tls-darwin.c.str4476 2014-09-23 15:56:14.000000000 +0100 ++++ cups-2.0.0/cups/tls-darwin.c 2014-11-07 08:56:53.791831189 +0000 +@@ -27,6 +27,14 @@ extern char **environ; + + + /* ++ * Test define - set to 1 to use SSLSetEnabledCiphers. Currently disabled (0) ++ * because of . ++ */ ++ ++#define USE_SET_ENABLED_CIPHERS 0 ++ ++ ++/* + * Local globals... + */ + +@@ -41,6 +49,7 @@ static char *tls_keypath = NULL; + /* Server cert keychain path */ + static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; + /* Mutex for keychain/certs */ ++static int tls_options = 0;/* Options for TLS connections */ + #endif /* HAVE_SECKEYCHAINOPEN */ + + +@@ -973,6 +982,17 @@ _httpTLSRead(http_t *http, /* I - HTTP + + + /* ++ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. ++ */ ++ ++void ++_httpTLSSetOptions(int options) /* I - Options */ ++{ ++ tls_options = options; ++} ++ ++ ++/* + * '_httpTLSStart()' - Set up SSL/TLS support on a connection. + */ + +@@ -1033,9 +1053,108 @@ _httpTLSStart(http_t *http) /* I - HTTP + { + error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnServerAuth, + true); +- DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", +- (int)error)); ++ DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", (int)error)); ++ } ++ ++ if (!error) ++ { ++ error = SSLSetProtocolVersionMin(http->tls, (tls_options & _HTTP_TLS_ALLOW_SSL3) ? kSSLProtocol3 : kTLSProtocol1); ++ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin, error=%d", (int)error)); ++ } ++ ++# if USE_SET_ENABLED_CIPHERS ++ if (!error) ++ { ++ SSLCipherSuite supported[100]; /* Supported cipher suites */ ++ size_t num_supported; /* Number of supported cipher suites */ ++ SSLCipherSuite enabled[100]; /* Cipher suites to enable */ ++ size_t num_enabled; /* Number of cipher suites to enable */ ++ ++ num_supported = sizeof(supported) / sizeof(supported[0]); ++ error = SSLGetSupportedCiphers(http->tls, supported, &num_supported); ++ ++ if (!error) ++ { ++ DEBUG_printf(("4_httpTLSStart: %d cipher suites supported.", (int)num_supported)); ++ ++ for (i = 0, num_enabled = 0; i < (int)num_supported && num_enabled < (sizeof(enabled) / sizeof(enabled[0])); i ++) ++ { ++ switch (supported[i]) ++ { ++ /* Obviously insecure cipher suites that we never want to use */ ++ case SSL_NULL_WITH_NULL_NULL : ++ case SSL_RSA_WITH_NULL_MD5 : ++ case SSL_RSA_WITH_NULL_SHA : ++ case SSL_RSA_EXPORT_WITH_RC4_40_MD5 : ++ case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 : ++ case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_RSA_WITH_DES_CBC_SHA : ++ case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_DH_DSS_WITH_DES_CBC_SHA : ++ case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_DH_RSA_WITH_DES_CBC_SHA : ++ case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_DHE_DSS_WITH_DES_CBC_SHA : ++ case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_DHE_RSA_WITH_DES_CBC_SHA : ++ case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 : ++ case SSL_DH_anon_WITH_RC4_128_MD5 : ++ case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA : ++ case SSL_DH_anon_WITH_DES_CBC_SHA : ++ case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA : ++ case SSL_FORTEZZA_DMS_WITH_NULL_SHA : ++ case TLS_DH_anon_WITH_AES_128_CBC_SHA : ++ case TLS_DH_anon_WITH_AES_256_CBC_SHA : ++ case TLS_ECDH_ECDSA_WITH_NULL_SHA : ++ case TLS_ECDHE_RSA_WITH_NULL_SHA : ++ case TLS_ECDH_anon_WITH_NULL_SHA : ++ case TLS_ECDH_anon_WITH_RC4_128_SHA : ++ case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA : ++ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA : ++ case TLS_ECDH_anon_WITH_AES_256_CBC_SHA : ++ case TLS_RSA_WITH_NULL_SHA256 : ++ case TLS_DH_anon_WITH_AES_128_CBC_SHA256 : ++ case TLS_DH_anon_WITH_AES_256_CBC_SHA256 : ++ case TLS_PSK_WITH_NULL_SHA : ++ case TLS_DHE_PSK_WITH_NULL_SHA : ++ case TLS_RSA_PSK_WITH_NULL_SHA : ++ case TLS_DH_anon_WITH_AES_128_GCM_SHA256 : ++ case TLS_DH_anon_WITH_AES_256_GCM_SHA384 : ++ case TLS_PSK_WITH_NULL_SHA256 : ++ case TLS_PSK_WITH_NULL_SHA384 : ++ case TLS_DHE_PSK_WITH_NULL_SHA256 : ++ case TLS_DHE_PSK_WITH_NULL_SHA384 : ++ case TLS_RSA_PSK_WITH_NULL_SHA256 : ++ case TLS_RSA_PSK_WITH_NULL_SHA384 : ++ case SSL_RSA_WITH_DES_CBC_MD5 : ++ break; ++ ++ /* RC4 cipher suites that should only be used as a last resort */ ++ case SSL_RSA_WITH_RC4_128_MD5 : ++ case SSL_RSA_WITH_RC4_128_SHA : ++ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : ++ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : ++ case TLS_ECDH_RSA_WITH_RC4_128_SHA : ++ case TLS_ECDHE_RSA_WITH_RC4_128_SHA : ++ case TLS_PSK_WITH_RC4_128_SHA : ++ case TLS_DHE_PSK_WITH_RC4_128_SHA : ++ case TLS_RSA_PSK_WITH_RC4_128_SHA : ++ if (tls_options & _HTTP_TLS_ALLOW_RC4) ++ enabled[num_enabled ++] = supported[i]; ++ break; ++ ++ /* Anything else we'll assume is secure */ ++ default : ++ enabled[num_enabled ++] = supported[i]; ++ break; ++ } ++ } ++ ++ DEBUG_printf(("4_httpTLSStart: %d cipher suites enabled.", (int)num_enabled)); ++ error = SSLSetEnabledCiphers(http->tls, enabled, num_enabled); ++ } + } ++#endif /* USE_SET_ENABLED_CIPHERS */ + + if (!error && http->mode == _HTTP_MODE_CLIENT) + { +diff -up cups-2.0.0/cups/tls-gnutls.c.str4476 cups-2.0.0/cups/tls-gnutls.c +--- cups-2.0.0/cups/tls-gnutls.c.str4476 2014-09-23 15:56:14.000000000 +0100 ++++ cups-2.0.0/cups/tls-gnutls.c 2014-11-07 08:56:53.792831194 +0000 +@@ -36,6 +36,7 @@ static char *tls_keypath = NULL; + /* Server cert keychain path */ + static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; + /* Mutex for keychain/certs */ ++static int tls_options = 0;/* Options for TLS connections */ + + + /* +@@ -1002,6 +1003,17 @@ _httpTLSSetCredentials(http_t *http) /* + + + /* ++ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. ++ */ ++ ++void ++_httpTLSSetOptions(int options) /* I - Options */ ++{ ++ tls_options = options; ++} ++ ++ ++/* + * '_httpTLSStart()' - Set up SSL/TLS support on a connection. + */ + +@@ -1185,6 +1197,15 @@ _httpTLSStart(http_t *http) /* I - Conn + return (-1); + } + ++ if (!tls_options) ++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL:-VERS-SSL3.0", NULL); ++ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && (tls_options & _HTTP_TLS_ALLOW_RC4)) ++ gnutls_priority_set_direct(http->tls, "NORMAL", NULL); ++ else if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL", NULL); ++ else ++ gnutls_priority_set_direct(http->tls, "NORMAL:VERS-TLS-ALL:-VERS-SSL3.0", NULL); ++ + gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http); + gnutls_transport_set_pull_function(http->tls, http_gnutls_read); + #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION +diff -up cups-2.0.0/cups/tls-sspi.c.str4476 cups-2.0.0/cups/tls-sspi.c +--- cups-2.0.0/cups/tls-sspi.c.str4476 2014-09-23 15:56:14.000000000 +0100 ++++ cups-2.0.0/cups/tls-sspi.c 2014-11-07 08:56:53.790831185 +0000 +@@ -1,7 +1,8 @@ + /* + * "$Id: tls-sspi.c 12159 2014-09-23 14:56:14Z msweet $" + * +- * TLS support for CUPS on Windows using SSPI. ++ * TLS support for CUPS on Windows using the Security Support Provider ++ * Interface (SSPI). + * + * Copyright 2010-2014 by Apple Inc. + * +@@ -48,6 +49,14 @@ + # define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00002000 /* Expired X509 Cert. */ + #endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */ + ++ ++/* ++ * Local globals... ++ */ ++ ++static int tls_options = 0;/* Options for TLS connections */ ++ ++ + /* + * Local functions... + */ +@@ -897,6 +906,17 @@ _httpTLSRead(http_t *http, /* I - HTTP + + + /* ++ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. ++ */ ++ ++void ++_httpTLSSetOptions(int options) /* I - Options */ ++{ ++ tls_options = options; ++} ++ ++ ++/* + * '_httpTLSStart()' - Set up SSL/TLS support on a connection. + */ + +@@ -1727,11 +1747,43 @@ http_sspi_find_credentials( + SchannelCred.paCred = &storedContext; + + /* +- * SSPI doesn't seem to like it if grbitEnabledProtocols is set for a client. ++ * Set supported protocols (can also be overriden in the registry...) + */ + ++#ifdef SP_PROT_TLS1_2_SERVER + if (http->mode == _HTTP_MODE_SERVER) +- SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3TLS1; ++ { ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER; ++ else ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER; ++ } ++ else ++ { ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT; ++ else ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT; ++ } ++ ++#else ++ if (http->mode == _HTTP_MODE_SERVER) ++ { ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER; ++ else ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER; ++ } ++ else ++ { ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT; ++ else ++ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT; ++ } ++#endif /* SP_PROT_TLS1_2_SERVER */ ++ ++ /* TODO: Support _HTTP_TLS_ALLOW_RC4 option; right now we'll rely on Windows registry to enable/disable RC4... */ + + /* + * Create an SSPI credential. +diff -up cups-2.0.0/cups/usersys.c.str4476 cups-2.0.0/cups/usersys.c +--- cups-2.0.0/cups/usersys.c.str4476 2014-08-28 16:37:22.000000000 +0100 ++++ cups-2.0.0/cups/usersys.c 2014-11-07 08:56:53.791831189 +0000 +@@ -52,7 +52,8 @@ static void cups_read_client_conf(cups_f + #endif /* HAVE_GSSAPI */ + const char *cups_anyroot, + const char *cups_expiredcerts, +- const char *cups_validatecerts); ++ const char *cups_validatecerts, ++ int ssl_options); + + + /* +@@ -863,6 +864,30 @@ _cupsSetDefaults(void) + if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] || + !cg->user[0] || !cg->ipp_port) + { ++ /* ++ * Look for CUPS_SERVERROOT/client.conf... ++ */ ++ ++ snprintf(filename, sizeof(filename), "%s/client.conf", ++ cg->cups_serverroot); ++ fp = cupsFileOpen(filename, "r"); ++ ++ /* ++ * Read the configuration file and apply any environment variables; both ++ * functions handle NULL cups_file_t pointers... ++ */ ++ ++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, ++#ifdef HAVE_GSSAPI ++ cups_gssservicename, ++#endif /* HAVE_GSSAPI */ ++ cups_anyroot, cups_expiredcerts, cups_validatecerts, 1); ++ cupsFileClose(fp); ++ ++ /* ++ * Then user defaults, if it is safe to do so... ++ */ ++ + # ifdef HAVE_GETEUID + if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL) + # elif !defined(WIN32) +@@ -877,32 +902,19 @@ _cupsSetDefaults(void) + + snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home); + fp = cupsFileOpen(filename, "r"); +- } +- else +- fp = NULL; + +- if (!fp) +- { + /* +- * Look for CUPS_SERVERROOT/client.conf... ++ * Read the configuration file and apply any environment variables; both ++ * functions handle NULL cups_file_t pointers... + */ + +- snprintf(filename, sizeof(filename), "%s/client.conf", +- cg->cups_serverroot); +- fp = cupsFileOpen(filename, "r"); +- } +- +- /* +- * Read the configuration file and apply any environment variables; both +- * functions handle NULL cups_file_t pointers... +- */ +- +- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, ++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, + #ifdef HAVE_GSSAPI +- cups_gssservicename, ++ cups_gssservicename, + #endif /* HAVE_GSSAPI */ +- cups_anyroot, cups_expiredcerts, cups_validatecerts); +- cupsFileClose(fp); ++ cups_anyroot, cups_expiredcerts, cups_validatecerts, 0); ++ cupsFileClose(fp); ++ } + } + } + +@@ -924,7 +936,8 @@ cups_read_client_conf( + #endif /* HAVE_GSSAPI */ + const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ + const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */ +- const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */ ++ const char *cups_validatecerts,/* I - CUPS_VALIDATECERTS env var */ ++ int ssl_options) /* I - Allow setting of SSLOptions? */ + { + int linenum; /* Current line number */ + char line[1024], /* Line from file */ +@@ -996,6 +1009,43 @@ cups_read_client_conf( + cups_gssservicename = gss_service_name; + } + #endif /* HAVE_GSSAPI */ ++ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value) ++ { ++ /* ++ * SSLOptions [AllowRC4] [AllowSSL3] [None] ++ */ ++ ++ int options = 0; /* SSL/TLS options */ ++ char *start, /* Start of option */ ++ *end; /* End of option */ ++ ++ for (start = value; *start; start = end) ++ { ++ /* ++ * Find end of keyword... ++ */ ++ ++ end = start; ++ while (*end && !_cups_isspace(*end)) ++ end ++; ++ ++ if (*end) ++ *end++ = '\0'; ++ ++ /* ++ * Compare... ++ */ ++ ++ if (!_cups_strcasecmp(start, "AllowRC4")) ++ options |= _HTTP_TLS_ALLOW_RC4; ++ else if (!_cups_strcasecmp(start, "AllowSSL3")) ++ options |= _HTTP_TLS_ALLOW_SSL3; ++ else if (!_cups_strcasecmp(start, "None")) ++ options = 0; ++ } ++ ++ _httpTLSSetOptions(options); ++ } + } + + /* +diff -up cups-2.0.0/doc/help/man-client.conf.html.str4476 cups-2.0.0/doc/help/man-client.conf.html +--- cups-2.0.0/doc/help/man-client.conf.html.str4476 2014-05-23 03:45:48.000000000 +0100 ++++ cups-2.0.0/doc/help/man-client.conf.html 2014-11-07 08:56:53.787831171 +0000 +@@ -38,6 +38,12 @@ CUPS adds the remote hostname ("name@ser + Note: This directive it not supported on OS X 10.7 or later. +
ServerName hostname-or-ip-address[:port]/version=1.1 +
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. ++
SSLOptions [AllowRC4] [AllowSSL3] ++
SSLOptions None ++
Sets encryption options (only in /etc/cups/client.conf). ++By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. ++The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. ++The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +
User name +
Specifies the default user name to use for requests. +
ValidateCerts Yes +diff -up cups-2.0.0/doc/help/man-cupsd.conf.html.str4476 cups-2.0.0/doc/help/man-cupsd.conf.html +--- cups-2.0.0/doc/help/man-cupsd.conf.html.str4476 2014-07-31 01:58:00.000000000 +0100 ++++ cups-2.0.0/doc/help/man-cupsd.conf.html 2014-11-07 08:56:53.788831175 +0000 +@@ -303,6 +303,12 @@ The default is "Minimal". +
SSLListen [ipv6-address]:port +
SSLListen *:port +
Listens on the specified address and port for encrypted connections. ++
SSLOptions [AllowRC4] [AllowSSL3] ++
SSLOptions None ++
Sets encryption options. ++By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. ++The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. ++The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +
SSLPort port +
Listens on the specified port for encrypted connections. +
StrictConformance Yes +diff -up cups-2.0.0/man/client.conf.man.in.str4476 cups-2.0.0/man/client.conf.man.in +--- cups-2.0.0/man/client.conf.man.in.str4476 2014-05-08 00:55:35.000000000 +0100 ++++ cups-2.0.0/man/client.conf.man.in 2014-11-07 08:56:53.794831203 +0000 +@@ -12,7 +12,7 @@ + .\" which should have been included with this file. If this file is + .\" file is missing or damaged, see the license at "http://www.cups.org/". + .\" +-.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc." ++.TH client.conf 5 "CUPS" "20 October 2014" "Apple Inc." + .SH NAME + client.conf \- client configuration file for cups (deprecated) + .SH DESCRIPTION +@@ -56,6 +56,14 @@ Specifies the address and optionally the + \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR + Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. + .TP 5 ++\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR] ++.TP 5 ++\fBSSLOptions None\fR ++Sets encryption options (only in /etc/cups/client.conf). ++By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. ++The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. ++The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. ++.TP 5 + \fBUser \fIname\fR + Specifies the default user name to use for requests. + .TP 5 +diff -up cups-2.0.0/man/cupsd.conf.man.in.str4476 cups-2.0.0/man/cupsd.conf.man.in +--- cups-2.0.0/man/cupsd.conf.man.in.str4476 2014-07-28 15:04:32.000000000 +0100 ++++ cups-2.0.0/man/cupsd.conf.man.in 2014-11-07 08:56:53.794831203 +0000 +@@ -12,7 +12,7 @@ + .\" which should have been included with this file. If this file is + .\" file is missing or damaged, see the license at "http://www.cups.org/". + .\" +-.TH cupsd.conf 5 "CUPS" "28 July 2014" "Apple Inc." ++.TH cupsd.conf 5 "CUPS" "20 October 2014" "Apple Inc." + .SH NAME + cupsd.conf \- server configuration file for cups + .SH DESCRIPTION +@@ -415,6 +415,14 @@ Set the specified environment variable t + \fBSSLListen *:\fIport\fR + Listens on the specified address and port for encrypted connections. + .TP 5 ++\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR] ++.TP 5 ++\fBSSLOptions None\fR ++Sets encryption options. ++By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. ++The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. ++The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. ++.TP 5 + \fBSSLPort \fIport\fR + Listens on the specified port for encrypted connections. + .TP 5 +diff -up cups-2.0.0/scheduler/conf.c.str4476 cups-2.0.0/scheduler/conf.c +--- cups-2.0.0/scheduler/conf.c.str4476 2014-09-30 19:56:48.000000000 +0100 ++++ cups-2.0.0/scheduler/conf.c 2014-11-07 08:56:53.796831212 +0000 +@@ -596,6 +596,8 @@ cupsdReadConfiguration(void) + # else + cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain"); + # endif /* HAVE_GNUTLS */ ++ ++ _httpTLSSetOptions(0); + #endif /* HAVE_SSL */ + + language = cupsLangDefault(); +@@ -2929,6 +2931,49 @@ read_cupsd_conf(cups_file_t *fp) /* I - + "FaxRetryLimit is deprecated; use " + "JobRetryLimit on line %d.", linenum); + } ++ else if (!_cups_strcasecmp(line, "SSLOptions")) ++ { ++ /* ++ * SSLOptions [AllowRC4] [AllowSSL3] [None] ++ */ ++ ++ int options = 0; /* SSL/TLS options */ ++ ++ if (value) ++ { ++ char *start, /* Start of option */ ++ *end; /* End of option */ ++ ++ for (start = value; *start; start = end) ++ { ++ /* ++ * Find end of keyword... ++ */ ++ ++ end = start; ++ while (*end && !_cups_isspace(*end)) ++ end ++; ++ ++ if (*end) ++ *end++ = '\0'; ++ ++ /* ++ * Compare... ++ */ ++ ++ if (!_cups_strcasecmp(start, "AllowRC4")) ++ options |= _HTTP_TLS_ALLOW_RC4; ++ else if (!_cups_strcasecmp(start, "AllowSSL3")) ++ options |= _HTTP_TLS_ALLOW_SSL3; ++ else if (!_cups_strcasecmp(start, "None")) ++ options = 0; ++ else if (_cups_strcasecmp(start, "NoEmptyFragments")) ++ cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum); ++ } ++ } ++ ++ _httpTLSSetOptions(options); ++ } + else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen") + #ifdef HAVE_SSL + || !_cups_strcasecmp(line, "SSLPort") || !_cups_strcasecmp(line, "SSLListen") diff --git a/cups.spec b/cups.spec index 479150b..0d9b801 100644 --- a/cups.spec +++ b/cups.spec @@ -30,7 +30,7 @@ Source8: macros.cups Patch1: cups-no-gzip-man.patch Patch2: cups-system-auth.patch Patch3: cups-multilib.patch - +Patch4: cups-str4476.patch Patch5: cups-banners.patch Patch6: cups-serverbin-compat.patch Patch7: cups-no-export-ssllibs.patch @@ -196,7 +196,9 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch2 -p1 -b .system-auth # Prevent multilib conflict in cups-config script. %patch3 -p1 -b .multilib - +# Re-introduce SSLOptions configuration directive, disable SSL3 by +# default (STR #4476). +%patch4 -p1 -b .str4476 # Ignore rpm save/new files in the banners directory. %patch5 -p1 -b .banners # Use compatibility fallback path for ServerBin. @@ -617,6 +619,8 @@ rm -f %{cups_serverbin}/backend/smb %changelog * Fri Nov 7 2014 Tim Waugh - 1:2.0.0-12 +- Re-introduce SSLOptions configuration directive, disable SSL3 by + default (STR #4476). - Enable SSL again via GnuTLS (bug #1161235). * Thu Nov 6 2014 Tim Waugh - 1:2.0.0-11