From f9c1ebdb7daea30ceaf73f43bf15c222dc4a58ad Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 27 Aug 2019 08:48:27 +0200 Subject: services: cups: Complete SSL-OPTIONS. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …except for ‘AllowDH’, which makes no sense on GNU TLS systems. * gnu/services/cups.scm (ssl-options?): Validate ‘DenyCBC’ and ‘DenyTLS1.0’. * doc/guix.texi (Printing Services): Document them both. --- doc/guix.texi | 15 +++++++++------ gnu/services/cups.scm | 6 +++++- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 6499b39ebf..90b2deb251 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -49,7 +49,7 @@ Copyright @copyright{} 2017 Christopher Allan Webber@* Copyright @copyright{} 2017, 2018 Marius Bakke@* Copyright @copyright{} 2017 Hartmut Goebel@* Copyright @copyright{} 2017 Maxim Cournoyer@* -Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@* +Copyright @copyright{} 2017, 2018, 2019 Tobias Geerinckx-Rice@* Copyright @copyright{} 2017 George Clemmer@* Copyright @copyright{} 2017 Andy Wingo@* Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@* @@ -14757,11 +14757,14 @@ Defaults to @samp{()}. @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options Sets encryption options. By default, CUPS only supports encryption -using TLS v1.0 or higher using known secure cipher suites. The -@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are -required for some older clients that do not implement newer ones. The -@code{AllowSSL3} option enables SSL v3.0, which is required for some -older clients that do not support TLS v1.0. +using TLS v1.0 or higher using known secure cipher suites. Security is +reduced when @code{Allow} options are used, and enhanced when @code{Deny} +options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher +suites, which are required for some older clients. The @code{AllowSSL3} option +enables SSL v3.0, which is required for some older clients that do not support +TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The +@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum +protocol version to TLS v1.1. Defaults to @samp{()}. @end deftypevr diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm index 9d21b6e70c..c20244cb32 100644 --- a/gnu/services/cups.scm +++ b/gnu/services/cups.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2017 Clément Lassieur ;;; Copyright © 2018 Ricardo Wurmus ;;; Copyright © 2019 Alex Griffin +;;; Copyright © 2019 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -170,7 +171,10 @@ (define (serialize-boolean-or-non-negative-integer field-name x) (define (ssl-options? x) (and (list? x) - (and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x))) + (and-map (lambda (elt) (memq elt '(AllowRC4 + AllowSSL3 + DenyCBC + DenyTLS1.0))) x))) (define (serialize-ssl-options field-name val) (serialize-field field-name (match val -- cgit v1.2.3