diff options
| author | Michael R Sweet <michael.r.sweet@gmail.com> | 2017-07-23 20:02:57 -0400 |
|---|---|---|
| committer | Michael R Sweet <michael.r.sweet@gmail.com> | 2017-07-23 20:02:57 -0400 |
| commit | 5e59cd062f1e12cda4d955c09ea6da5cee8a7bc2 (patch) | |
| tree | ee697ef941fa0a972771825b3791e61f68c0d851 | |
| parent | e7729c5a144d4ce1dded05ac18abee88d1d579f7 (diff) | |
| download | cups-5e59cd062f1e12cda4d955c09ea6da5cee8a7bc2.tar.gz | |
Fix "DenyCBC" priority string with GNU TLS.
| -rw-r--r-- | CHANGES.md | 3 | ||||
| -rw-r--r-- | cups/tls-gnutls.c | 4 |
2 files changed, 4 insertions, 3 deletions
diff --git a/CHANGES.md b/CHANGES.md index b247c1f1c..5ff87a731 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,4 @@ -CHANGES - 2.2.5 - 2017-07-19 +CHANGES - 2.2.5 - 2017-07-23 ============================ CHANGES IN CUPS V2.2.5 @@ -28,6 +28,7 @@ CHANGES IN CUPS V2.2.5 printers (rdar://33250434) - Fixed the `cups.strings` file that is used on macOS (rdar://33287650) - CUPS now sends the `Date` HTTP header in IPP requests (rdar://33302034) +- Fixed the DenyCBC option when using GNU TLS. CHANGES IN CUPS V2.2.4 diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 48bc11aa9..d77e20789 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1242,7 +1242,7 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ int status; /* Status of handshake */ gnutls_certificate_credentials_t *credentials; /* TLS credentials */ - char priority_string[1024]; + char priority_string[2048]; /* Priority string */ @@ -1519,7 +1519,7 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ strlcat(priority_string, ":!ANON-DH", sizeof(priority_string)); if (!(tls_options & _HTTP_TLS_DENY_CBC)) - strlcat(priority_string, ":!CBC", sizeof(priority_string)); + strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string)); #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT gnutls_priority_set_direct(http->tls, priority_string, NULL); |