summaryrefslogtreecommitdiff
path: root/cups/tls-darwin.c
diff options
context:
space:
mode:
authorMichael Sweet <michael.r.sweet@gmail.com>2017-08-25 16:38:56 -0400
committerMichael Sweet <michael.r.sweet@gmail.com>2017-08-25 16:39:50 -0400
commit4f272af7bbf4c6f409998e3b1d1f89df4bda8a28 (patch)
treeb894f24fd57f7b2d8ada29aab477d88179066501 /cups/tls-darwin.c
parentb770b18d0fac2117fb8f0684ea7eef8cf398529c (diff)
downloadcups-4f272af7bbf4c6f409998e3b1d1f89df4bda8a28.tar.gz
Support internal "only TLS/1.0" option for tlscheck.
Expand CBC filter on macOS. Add support for --tls10 and --no-cbc options with tlscheck.
Diffstat (limited to 'cups/tls-darwin.c')
-rw-r--r--cups/tls-darwin.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c
index df952cb29..d2d3687a1 100644
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -1227,6 +1227,12 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */
error = SSLSetProtocolVersionMin(http->tls, minProtocol);
DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
+
+ if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
+ {
+ error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
+ }
}
# if HAVE_SSLSETENABLEDCIPHERS
@@ -1369,6 +1375,9 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
+ case TLS_RSA_WITH_3DES_EDE_CBC_SHA :
+ case TLS_RSA_WITH_AES_128_CBC_SHA :
+ case TLS_RSA_WITH_AES_256_CBC_SHA :
if (tls_options & _HTTP_TLS_DENY_CBC)
{
DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i]));
View Lorry Controller Status