Fix cipher suite selection with GNU TLS (Issue #5145)

Also make sure that client.conf SSLOptions do not override cupsd.conf SSLOptions, and document the (hopefully obvious) fact that Allow* is less secure and Deny* is more secure. - cups/http-private.h: Add "_HTTP_TLS_SET_DEFAULT" flag for options set from client.conf. - cups/tls-*.c: Use new flag. - cups/tls-gnutls.c: Fix CBC cipher suite exclusion logic, and always disable anonymous DH. - cups/usersys.c: Pass new flag when calling _httpTLSSetOptions. - man/*: Update documentation.
author: Michael Sweet <michael.r.sweet@gmail.com> 2017-10-19 22:44:12 -0400
committer: Michael Sweet <michael.r.sweet@gmail.com> 2017-10-19 22:44:12 -0400
commit: 02c88e673ea6d700e52fa89ee83aabae905370a8 (patch)
tree: a2b54e1ce5d98ba107e730e634dda0b26e38e23c /cups/usersys.c
parent: 0ae5b012b2f5f37bee24044180beae7ed663182e (diff)
download: cups-02c88e673ea6d700e52fa89ee83aabae905370a8.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/cups/usersys.c b/cups/usersys.c
index 026b4a7cc..2a004b540 100644
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -957,7 +957,7 @@ _cupsSetDefaults(void)
     cg->validate_certs = cc.validate_certs;
 
 #ifdef HAVE_SSL
-  _httpTLSSetOptions(cc.ssl_options);
+  _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
 #endif /* HAVE_SSL */
 }
author	Michael Sweet <michael.r.sweet@gmail.com>	2017-10-19 22:44:12 -0400
committer	Michael Sweet <michael.r.sweet@gmail.com>	2017-10-19 22:44:12 -0400
commit	02c88e673ea6d700e52fa89ee83aabae905370a8 (patch)
tree	a2b54e1ce5d98ba107e730e634dda0b26e38e23c /cups/usersys.c
parent	0ae5b012b2f5f37bee24044180beae7ed663182e (diff)
download	cups-02c88e673ea6d700e52fa89ee83aabae905370a8.tar.gz