Add support for MinTLS and MaxTLS options (Issue #5119)

- cups/http-private.h: Move TLS/SSL version options to separate version
  constants, make _httpTLSSetOptions take min/max version numbers.
- cups/tls-*.c: Update _httpTLSSetOptions and _httpTLSStart to use new min/max
  version numbers.
- cups/tlscheck.c: Update _httpTLSSetOptions call.
- cups/usersys.c: Support new SSLOptions values, update _httpTLSSetOptions call.
- scheduler/conf.c: Support new SSLOptions values, update _httpTLSSetOptions
  calls.

2 files changed, 11 insertions, 4 deletions

diff --git a/man/client.conf.man.in b/man/client.conf.man.in
index c9fb91da2..7bbc7d656 100644
--- a/man/client.conf.man.in
+++ b/man/client.conf.man.in
@@ -10,7 +10,7 @@
 .\" which should have been included with this file.  If this file is
 .\" file is missing or damaged, see the license at "http://www.cups.org/".
 .\"
-.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
+.TH client.conf 5 "CUPS" "3 November 2017" "Apple Inc."
 .SH NAME
 client.conf \- client configuration file for cups
 .SH DESCRIPTION
@@ -56,7 +56,7 @@ Specifies the address and optionally the port to use when connecting to the serv
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
 .TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
 .TP 5
 \fBSSLOptions None\fR
 Sets encryption options (only in /etc/cups/client.conf).
@@ -68,6 +68,9 @@ The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are requi
 The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
 The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fMinTLS\fR options set the minimum TLS version to support.
+The \fMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
 .TP 5
 \fBTrustOnFirstUse Yes\fR
 .TP 5
diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
index 28eed35e1..1c2199949 100644
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
@@ -451,10 +451,11 @@ Set the specified environment variable to be passed to child processes.
 Listens on the specified address and port for encrypted connections.
 .\"#SSLOptions
 .TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
+.TP 5
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
 .TP 5
 \fBSSLOptions None\fR
-Sets encryption options.
+Sets encryption options (only in /etc/cups/client.conf).
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
 Security is reduced when \fIAllow\fR options are used.
 Security is enhanced when \fIDeny\fR options are used.
@@ -463,6 +464,9 @@ The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are requi
 The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
 The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fMinTLS\fR options set the minimum TLS version to support.
+The \fMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
 .\"#SSLPort
 .TP 5
 \fBSSLPort \fIport\fR