Add SSLOptions to enable Diffie-Hellman key exchange and disable TLS/1.0.

DH/DHE support is being made optional because of known security issues with short
DH parameters.  Since there is no way to conditionally use DH/DHE with a minimum
number of bits, we just have to disable it by default.

TLS/1.0 support can now be disabled due to known security issues with TLS/1.0.
However, since TLS/1.1 and TLS/1.2 support is not universally available, we
cannot simply disable TLS/1.0 like we did for SSL/3.0.



git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12645 a1ca3aef-8c08-0410-bb20-df032aa958be

1 files changed, 7 insertions, 5 deletions

diff --git a/man/client.conf.man.in b/man/client.conf.man.in
index a7eadbc1e..39a811b04 100644
--- a/man/client.conf.man.in
+++ b/man/client.conf.man.in
@@ -3,7 +3,7 @@
 .\"
 .\" client.conf man page for CUPS.
 .\"
-.\" Copyright 2007-2014 by Apple Inc.
+.\" Copyright 2007-2015 by Apple Inc.
 .\" Copyright 2006 by Easy Software Products.
 .\"
 .\" These coded instructions, statements, and computer programs are the
@@ -12,14 +12,14 @@
 .\" which should have been included with this file.  If this file is
 .\" file is missing or damaged, see the license at "http://www.cups.org/".
 .\"
-.TH client.conf 5 "CUPS" "20 October 2014" "Apple Inc."
+.TH client.conf 5 "CUPS" "19 May 2015" "Apple Inc."
 .SH NAME
 client.conf \- client configuration file for cups (deprecated)
 .SH DESCRIPTION
 The \fBclient.conf\fR file configures the CUPS client and is normally located in the \fI/etc/cups\fR and/or \fI~/.cups\fR directories.
 Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character.
 .LP
-\fBNote:\fR Starting with OS X 10.7, this file is only used by command-line and X11 applications.
+\fBNote:\fR Starting with OS X 10.7, this file is only used by command-line and X11 applications plus the IPP backend.
 The \fBServerName\fR directive is not supported on OS X at all.
 .SS DIRECTIVES
 The following directives are understood by the client. Consult the online help for detailed descriptions:
@@ -56,13 +56,15 @@ Specifies the address and optionally the port to use when connecting to the serv
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
 .TP 5
-\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyTLS1.0\fR]
 .TP 5
 \fBSSLOptions None\fR
 Sets encryption options (only in /etc/cups/client.conf).
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
 The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
 The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 .TP 5
 \fBUser \fIname\fR
 Specifies the default user name to use for requests.
@@ -78,7 +80,7 @@ The \fBclient.conf\fR file is deprecated and will no longer be supported in a fu
 .BR cups (1),
 CUPS Online Help (http://localhost:631/help)
 .SH COPYRIGHT
-Copyright \[co] 2007-2014 by Apple Inc.
+Copyright \[co] 2007-2015 by Apple Inc.
 .\"
 .\" End of "$Id$".
 .\"