diff options
author | Michael Sweet <michael.r.sweet@gmail.com> | 2017-10-19 22:44:12 -0400 |
---|---|---|
committer | Michael Sweet <michael.r.sweet@gmail.com> | 2017-10-19 22:44:12 -0400 |
commit | 02c88e673ea6d700e52fa89ee83aabae905370a8 (patch) | |
tree | a2b54e1ce5d98ba107e730e634dda0b26e38e23c /cups/tls-sspi.c | |
parent | 0ae5b012b2f5f37bee24044180beae7ed663182e (diff) | |
download | cups-02c88e673ea6d700e52fa89ee83aabae905370a8.tar.gz |
Fix cipher suite selection with GNU TLS (Issue #5145)
Also make sure that client.conf SSLOptions do not override cupsd.conf
SSLOptions, and document the (hopefully obvious) fact that Allow* is less
secure and Deny* is more secure.
- cups/http-private.h: Add "_HTTP_TLS_SET_DEFAULT" flag for options set from
client.conf.
- cups/tls-*.c: Use new flag.
- cups/tls-gnutls.c: Fix CBC cipher suite exclusion logic, and always disable
anonymous DH.
- cups/usersys.c: Pass new flag when calling _httpTLSSetOptions.
- man/*: Update documentation.
Diffstat (limited to 'cups/tls-sspi.c')
-rw-r--r-- | cups/tls-sspi.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c index 77b883b22..6eaec4c83 100644 --- a/cups/tls-sspi.c +++ b/cups/tls-sspi.c @@ -2,7 +2,7 @@ * TLS support for CUPS on Windows using the Security Support Provider * Interface (SSPI). * - * Copyright 2010-2015 by Apple Inc. + * Copyright 2010-2017 by Apple Inc. * * These coded instructions, statements, and computer programs are the * property of Apple Inc. and are protected by Federal copyright @@ -913,7 +913,8 @@ _httpTLSRead(http_t *http, /* I - HTTP connection */ void _httpTLSSetOptions(int options) /* I - Options */ { - tls_options = options; + if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0) + tls_options = options; } |