[cups-devel] [UNKN] STR #4544: Allow setting of TLS options for web interface

Navid Zamini noreply at cups.org
Sun Dec 7 14:51:42 PST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

There seem to be no options to (recommended default in parentheses)
• set the protocol version (-ALL +TLSv1.2)
• honor the cipher order, (on)
• preempt the cipherlist, and…
• set the cipher suite
(ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256)
• set the compression (off, due to BEAST)
• set the Diffe-Hellman file
• make sure the CA chain is included in the certificate [unless I can use
.crt.pem files that include the whole chain]

This means that even though my key and certificate are of high grade, the
connection security is of very weak quality (46%) [using Firefox 34 as the
client]:
• NO perfect forward secrecy
• Very weak key exchange, using the server key instead of e.g. ECDHE
• Only the broken SHA-1 as a MAC.
• (Firefox itself is to blame for having only 128-bit AES)

I don’t know if this affects the printing service interface too…

These options should exist. (Or ideally, all services on public sockets
should be TLS-enabled by the OS itself, so that services don’t have to
re-invent the wheel. But that’s somebody else’s fault.)

Link: https://www.cups.org/str.php?L4544
Version: 1.7.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJUhNn+AAoJENujp6sI12IjhpwP/0uX+96q5BsYBKfYENzPg0fM
STxoikUA0tjGR0SZm894P15EJhgOAKGtJTt+5p2lWf3GLstpO0U2BbKUceKvCX1O
SeknZ5ohhOYz9YTMNSqK79avGwDARO2+dt0hW5AZ4mHg5pxDF5kOuHRiy4RXRhZm
EVq32BCcZQWrZwtvx0AqsYCzpwQIlx4TnhyQkfjfIHSsqvqedDgPiCCk9uWFnaRV
SwffbxC3lDx4BZuknETv/Mv2I4vLAHkCLUtiWYYN5l0umJxHZAxqDK8771RP2xVv
rIAAXC/teQ3dI2I85WJ1GwP/JAQMWzVjM/i9Sn0hsaBWQ+cVOdW0TA3OToNAcq4r
ZhaKntz6h0jYKwRp/9m/74+HSqboPI5ZVIv31tUY54dLcPBDR3pqCj54IGBHiLsm
1LZKMdjoB8In3mpJoW9YuOgc+amY6ztpMMFCRBxQS+TENyZiTSKEN9yU7V9+ObE4
riaOM+PETnh0iwIlOmNOvR+fEfLXuIjYtQTFoAJSuIWbQYK5y1lwcc1CKrYtYh5h
DiO2P/NI631GzZX5w9mZmRVXuRN0FofT5Ng2MwwYamd6FalzjO3MJeVh/qflQna+
ynehAPnhNfSMYb4odPF19QjhD25XTeB3NnIeUdNDA/wItqMql/DWFZ+RHejsNGFB
h5fxWUpVXwlLEqHUTcRo
=/GdX
-----END PGP SIGNATURE-----

More information about the cups mailing list