SSL Modification

Ryan Holliday rholliday at bcssi.com
Fri May 16 15:15:56 PDT 2008


In refrence to http://www.cups.org/newsgroups.php?s16046+gcups.general+v16046+T0

Since I have a working solution that involves a code change, I'm posting it here instead of in the orriginal thread.

The problem turned out to be an issue with the interoperability between Windows and OpenSSL using the DES-CBC3-SHA cipher. Fortunatly OpenSSL has a workaround using the SSL_CTX_set_options() to pass through a SSL_OP_ALL flag. I got cups working by modifying two files and adding a line in order to set the options(I'm using CUPS 1.3.7):

cups/http.c line 2706
SSL_CTX_set_options(context, SSL_OP_ALL);

scheduler/client.c line 2948
SSL_CTX_set_options(context, SSL_OP_ALL);


The problem is SS_OP_ALL sets about 10 flags that could have a negative security impact on the cupsd daemon. I need to going through each flag to narrow down the combination of options that needs to be set for this to work. In addition, setting this flag should probably be configurable in the cupsd.conf file, and should not be enabled by default.




More information about the cups mailing list