Index: doc/help/ref-cupsd-conf.html.in
===================================================================
--- doc/help/ref-cupsd-conf.html.in (revision 7934)
+++ doc/help/ref-cupsd-conf.html.in (working copy)
@@ -2842,27 +2842,45 @@
variable that should be passed to child processes.
-
+
Examples
-SSLListen 127.0.0.1:443
-SSLListen 192.0.2.1:443
+SSLOptions 127.0.0.1:443
+SSLOptions 192.0.2.1:443
Description
-The SSLListen
directive specifies a network
+
The SSLOptions
directive specifies a network
address and port to listen for secure connections. Multiple
-SSLListen
directives can be provided to listen on
+SSLOptions
directives can be provided to listen on
multiple addresses.
-The SSLListen
directive is similar to the The SSLOptions
directive is similar to the SSLPort
directive but allows you
to restrict access to specific interfaces or networks.
+
+
+Examples
+
+
+SSLOptions None
+SSLOptions NoEmptyFragments
+
+
+Description
+
+The SSLOptions
directive specifies additional SSL/TLS
+protocol options to use for encrypted connected. Currently only two
+options are supported - None
(the default) for the most
+secure mode and NoEmptyFragments
to allow CUPS to work with
+Microsoft Windows with the FIPS conformance mode enabled.
+
+
Examples
Index: man/cupsd.conf.man.in
===================================================================
--- man/cupsd.conf.man.in (revision 7934)
+++ man/cupsd.conf.man.in (working copy)
@@ -642,6 +642,12 @@
.br
Listens on the specified address and port for encrypted connections.
.TP 5
+SSLOptions None
+.TP 5
+SSLOptions NoEmptyFragments
+.br
+Sets SSL/TLS protocol options for encrypted connections.
+.TP 5
SSLPort
.br
Listens on the specified port for encrypted connections.
Index: CHANGES.txt
===================================================================
--- CHANGES.txt (revision 7934)
+++ CHANGES.txt (working copy)
@@ -4,6 +4,8 @@
CHANGES IN CUPS V1.4b1
- Documentation updates (STR #2567)
+ - Added a SSLOptions directive to allow Windows clients to
+ talk to CUPS in FIPS mode (STR #2827)
- Renamed the accept and reject commands to cupsaccept and
cupsreject; the old names are still available (STR #2936)
- The locale/translate utility needed an update to work with
Index: scheduler/client.c
===================================================================
--- scheduler/client.c (revision 7934)
+++ scheduler/client.c (working copy)
@@ -3080,6 +3080,8 @@
context = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+ if (SSLOptions & CUPSD_SSL_NOEMPTY)
+ SSL_CTX_set_options(context, SSL_OP_DONTS_INSERT_EMPTY_FRAGMENTS);
SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(context, ServerCertificate,
SSL_FILETYPE_PEM);
Index: scheduler/client.h
===================================================================
--- scheduler/client.h (revision 7934)
+++ scheduler/client.h (working copy)
@@ -17,6 +17,7 @@
# include
#endif /* HAVE_AUTHORIZATION_H */
+
/*
* HTTP client structure...
*/
Index: scheduler/conf.c
===================================================================
--- scheduler/conf.c (revision 7934)
+++ scheduler/conf.c (working copy)
@@ -549,6 +549,7 @@
DefaultAuthType = CUPSD_AUTH_BASIC;
#ifdef HAVE_SSL
DefaultEncryption = HTTP_ENCRYPT_REQUIRED;
+ SSLOptions = CUPSD_SSL_NONE;
#endif /* HAVE_SSL */
DirtyCleanInterval = DEFAULT_KEEPALIVE;
JobRetryLimit = 5;
@@ -3200,6 +3201,21 @@
"Missing value for SetEnv directive on line %d.",
linenum);
}
+ else if (!strcasecmp(line, "SSLOptions"))
+ {
+ /*
+ * SSLOptions options
+ */
+
+ if (!value || !strcasecmp(value, "none"))
+ SSLOptions = CUPSD_SSL_NONE;
+ else if (!strcasecmp(value, "noemptyfragments"))
+ SSLOptions = CUPSD_SSL_NOEMPTY;
+ else
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unknown value \"%s\" for SSLOptions directive on "
+ "line %d.", value, linenum);
+ }
else
{
/*
Index: scheduler/conf.h
===================================================================
--- scheduler/conf.h (revision 7934)
+++ scheduler/conf.h (working copy)
@@ -67,6 +67,14 @@
/*
+ * SSL options (bits)...
+ */
+
+#define CUPSD_SSL_NONE 0 /* No special options */
+#define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */
+
+
+/*
* Globals...
*/
@@ -217,6 +225,8 @@
VAR char *ServerKey VALUE(NULL);
/* Server key file */
# endif /* HAVE_LIBSSL || HAVE_GNUTLS */
+VAR int SSLOptions VALUE(CUPSD_SSL_NONE);
+ /* SSL/TLS options */
#endif /* HAVE_SSL */
#ifdef HAVE_LAUNCHD