diff options
author | Michael Sweet <michael.r.sweet@gmail.com> | 2017-08-25 16:38:56 -0400 |
---|---|---|
committer | Michael Sweet <michael.r.sweet@gmail.com> | 2017-08-25 16:39:50 -0400 |
commit | 4f272af7bbf4c6f409998e3b1d1f89df4bda8a28 (patch) | |
tree | b894f24fd57f7b2d8ada29aab477d88179066501 /cups/tls-darwin.c | |
parent | b770b18d0fac2117fb8f0684ea7eef8cf398529c (diff) | |
download | cups-4f272af7bbf4c6f409998e3b1d1f89df4bda8a28.tar.gz |
Support internal "only TLS/1.0" option for tlscheck.
Expand CBC filter on macOS.
Add support for --tls10 and --no-cbc options with tlscheck.
Diffstat (limited to 'cups/tls-darwin.c')
-rw-r--r-- | cups/tls-darwin.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index df952cb29..d2d3687a1 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -1227,6 +1227,12 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ error = SSLSetProtocolVersionMin(http->tls, minProtocol); DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error)); + + if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10)) + { + error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1); + DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error)); + } } # if HAVE_SSLSETENABLEDCIPHERS @@ -1369,6 +1375,9 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + case TLS_RSA_WITH_3DES_EDE_CBC_SHA : + case TLS_RSA_WITH_AES_128_CBC_SHA : + case TLS_RSA_WITH_AES_256_CBC_SHA : if (tls_options & _HTTP_TLS_DENY_CBC) { DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i])); |