SSL Modification

Michael Sweet mike at easysw.com
Fri May 16 20:46:58 PDT 2008


Ryan Holliday wrote:
> In refrence to http://www.cups.org/newsgroups.php?s16046+gcups.general+v16046+T0
> 
> Since I have a working solution that involves a code change, I'm posting it here instead of in the orriginal thread.
> 
> The problem turned out to be an issue with the interoperability between Windows and OpenSSL using the DES-CBC3-SHA cipher. Fortunatly OpenSSL has a workaround using the SSL_CTX_set_options() to pass through a SSL_OP_ALL flag. I got cups working by modifying two files and adding a line in order to set the options(I'm using CUPS 1.3.7):
> 
> cups/http.c line 2706
> SSL_CTX_set_options(context, SSL_OP_ALL);
> 
> scheduler/client.c line 2948
> SSL_CTX_set_options(context, SSL_OP_ALL);
> 
> 
> The problem is SS_OP_ALL sets about 10 flags that could have a negative security impact on the cupsd daemon. I need to going through each flag to narrow down the combination of options that needs to be set for this to work. In addition, setting this flag should probably be configurable in the cupsd.conf file, and should not be enabled by default.

We probably want to have CUPS+OpenSSL work with Windows in this mode,
so if we can I'd like to make it the default mode.

Once you figure out the minimum set of options required, please file a
bug report here:

     http://www.cups.org/str.php

Thanks!

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com




More information about the cups mailing list