From fad821594f5ec0b35dcf8535923146a2d9220aac Mon Sep 17 00:00:00 2001
From: Pascal Ernster <git@hardfalcon.net>
Date: Sun, 22 Oct 2017 22:34:42 +0200
Subject: Fix AllowRC4 and AllowSSL3 on GnuTLS platforms

---
 cups/tls-gnutls.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'cups/tls-gnutls.c')

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 4c92b6850..f93274815 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1509,14 +1509,16 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
   if (tls_options & _HTTP_TLS_DENY_TLS10)
     strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
   else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
-    strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+    strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
   else if (tls_options & _HTTP_TLS_ONLY_TLS10)
     strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
   else
     strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
 
-  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
-    strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
+  if (tls_options & _HTTP_TLS_ALLOW_RC4)
+    strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
+  else
+	strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
 
   strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
 
-- 
cgit v1.2.1