me
/
guix
Archived
1
0
Fork 0

services: cups: Complete SSL-OPTIONS.

…except for ‘AllowDH’, which makes no sense on GNU TLS systems.

* gnu/services/cups.scm (ssl-options?): Validate ‘DenyCBC’ and
‘DenyTLS1.0’.
* doc/guix.texi (Printing Services): Document them both.
master
Tobias Geerinckx-Rice 2019-08-27 08:48:27 +02:00
parent 32e18e9b94
commit f9c1ebdb7d
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
2 changed files with 14 additions and 7 deletions

View File

@ -49,7 +49,7 @@ Copyright @copyright{} 2017 Christopher Allan Webber@*
Copyright @copyright{} 2017, 2018 Marius Bakke@*
Copyright @copyright{} 2017 Hartmut Goebel@*
Copyright @copyright{} 2017 Maxim Cournoyer@*
Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@*
Copyright @copyright{} 2017, 2018, 2019 Tobias Geerinckx-Rice@*
Copyright @copyright{} 2017 George Clemmer@*
Copyright @copyright{} 2017 Andy Wingo@*
Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@*
@ -14757,11 +14757,14 @@ Defaults to @samp{()}.
@deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
Sets encryption options. By default, CUPS only supports encryption
using TLS v1.0 or higher using known secure cipher suites. The
@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
required for some older clients that do not implement newer ones. The
@code{AllowSSL3} option enables SSL v3.0, which is required for some
older clients that do not support TLS v1.0.
using TLS v1.0 or higher using known secure cipher suites. Security is
reduced when @code{Allow} options are used, and enhanced when @code{Deny}
options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
suites, which are required for some older clients. The @code{AllowSSL3} option
enables SSL v3.0, which is required for some older clients that do not support
TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
protocol version to TLS v1.1.
Defaults to @samp{()}.
@end deftypevr

View File

@ -3,6 +3,7 @@
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@ -170,7 +171,10 @@
(define (ssl-options? x)
(and (list? x)
(and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x)))
(and-map (lambda (elt) (memq elt '(AllowRC4
AllowSSL3
DenyCBC
DenyTLS1.0))) x)))
(define (serialize-ssl-options field-name val)
(serialize-field field-name
(match val