[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/03: services: cups: Complete SSL-OPTIONS.
From: |
guix-commits |
Subject: |
01/03: services: cups: Complete SSL-OPTIONS. |
Date: |
Tue, 27 Aug 2019 02:50:46 -0400 (EDT) |
nckx pushed a commit to branch master
in repository guix.
commit f9c1ebdb7daea30ceaf73f43bf15c222dc4a58ad
Author: Tobias Geerinckx-Rice <address@hidden>
Date: Tue Aug 27 08:48:27 2019 +0200
services: cups: Complete SSL-OPTIONS.
…except for ‘AllowDH’, which makes no sense on GNU TLS systems.
* gnu/services/cups.scm (ssl-options?): Validate ‘DenyCBC’ and
‘DenyTLS1.0’.
* doc/guix.texi (Printing Services): Document them both.
---
doc/guix.texi | 15 +++++++++------
gnu/services/cups.scm | 6 +++++-
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 6499b39..90b2deb 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -49,7 +49,7 @@ Copyright @copyright{} 2017 Christopher Allan Webber@*
Copyright @copyright{} 2017, 2018 Marius Bakke@*
Copyright @copyright{} 2017 Hartmut Goebel@*
Copyright @copyright{} 2017 Maxim Cournoyer@*
-Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@*
+Copyright @copyright{} 2017, 2018, 2019 Tobias Geerinckx-Rice@*
Copyright @copyright{} 2017 George Clemmer@*
Copyright @copyright{} 2017 Andy Wingo@*
Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@*
@@ -14757,11 +14757,14 @@ Defaults to @samp{()}.
@deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
Sets encryption options. By default, CUPS only supports encryption
-using TLS v1.0 or higher using known secure cipher suites. The
-@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
-required for some older clients that do not implement newer ones. The
-@code{AllowSSL3} option enables SSL v3.0, which is required for some
-older clients that do not support TLS v1.0.
+using TLS v1.0 or higher using known secure cipher suites. Security is
+reduced when @code{Allow} options are used, and enhanced when @code{Deny}
+options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
+suites, which are required for some older clients. The @code{AllowSSL3} option
+enables SSL v3.0, which is required for some older clients that do not support
+TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
+@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
+protocol version to TLS v1.1.
Defaults to @samp{()}.
@end deftypevr
diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm
index 9d21b6e..c20244c 100644
--- a/gnu/services/cups.scm
+++ b/gnu/services/cups.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2017 Clément Lassieur <address@hidden>
;;; Copyright © 2018 Ricardo Wurmus <address@hidden>
;;; Copyright © 2019 Alex Griffin <address@hidden>
+;;; Copyright © 2019 Tobias Geerinckx-Rice <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -170,7 +171,10 @@
(define (ssl-options? x)
(and (list? x)
- (and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x)))
+ (and-map (lambda (elt) (memq elt '(AllowRC4
+ AllowSSL3
+ DenyCBC
+ DenyTLS1.0))) x)))
(define (serialize-ssl-options field-name val)
(serialize-field field-name
(match val