diff options
author | Michael Sweet <michael.r.sweet@gmail.com> | 2017-10-19 22:44:12 -0400 |
---|---|---|
committer | Michael Sweet <michael.r.sweet@gmail.com> | 2017-10-19 22:44:12 -0400 |
commit | 02c88e673ea6d700e52fa89ee83aabae905370a8 (patch) | |
tree | a2b54e1ce5d98ba107e730e634dda0b26e38e23c /cups/usersys.c | |
parent | 0ae5b012b2f5f37bee24044180beae7ed663182e (diff) | |
download | cups-02c88e673ea6d700e52fa89ee83aabae905370a8.tar.gz |
Fix cipher suite selection with GNU TLS (Issue #5145)
Also make sure that client.conf SSLOptions do not override cupsd.conf
SSLOptions, and document the (hopefully obvious) fact that Allow* is less
secure and Deny* is more secure.
- cups/http-private.h: Add "_HTTP_TLS_SET_DEFAULT" flag for options set from
client.conf.
- cups/tls-*.c: Use new flag.
- cups/tls-gnutls.c: Fix CBC cipher suite exclusion logic, and always disable
anonymous DH.
- cups/usersys.c: Pass new flag when calling _httpTLSSetOptions.
- man/*: Update documentation.
Diffstat (limited to 'cups/usersys.c')
-rw-r--r-- | cups/usersys.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/cups/usersys.c b/cups/usersys.c index 026b4a7cc..2a004b540 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -957,7 +957,7 @@ _cupsSetDefaults(void) cg->validate_certs = cc.validate_certs; #ifdef HAVE_SSL - _httpTLSSetOptions(cc.ssl_options); + _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT); #endif /* HAVE_SSL */ } |