Index: doc/help/ref-cupsd-conf.html.in
===================================================================
--- doc/help/ref-cupsd-conf.html.in	(revision 7934)
+++ doc/help/ref-cupsd-conf.html.in	(working copy)
@@ -2842,27 +2842,45 @@
 variable that should be passed to child processes.</P>
 
 
-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
 
 <H3>Examples</H3>
 
 <PRE CLASS="command">
-SSLListen 127.0.0.1:443
-SSLListen 192.0.2.1:443
+SSLOptions 127.0.0.1:443
+SSLOptions 192.0.2.1:443
 </PRE>
 
 <H3>Description</H3>
 
-<P>The <CODE>SSLListen</CODE> directive specifies a network
+<P>The <CODE>SSLOptions</CODE> directive specifies a network
 address and port to listen for secure connections. Multiple
-<CODE>SSLListen</CODE> directives can be provided to listen on
+<CODE>SSLOptions</CODE> directives can be provided to listen on
 multiple addresses.</P>
 
-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
+<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
 HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
 to restrict access to specific interfaces or networks.</P>
 
 
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+
+<H3>Examples</H3>
+
+<PRE CLASS="command">
+SSLOptions None
+SSLOptions NoEmptyFragments
+</PRE>
+
+<H3>Description</H3>
+
+<P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
+protocol options to use for encrypted connected. Currently only two
+options are supported - <code>None</code> (the default) for the most
+secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
+Microsoft Windows with the FIPS conformance mode enabled.</p>
+
+
 <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
 
 <H3>Examples</H3>
Index: man/cupsd.conf.man.in
===================================================================
--- man/cupsd.conf.man.in	(revision 7934)
+++ man/cupsd.conf.man.in	(working copy)
@@ -642,6 +642,12 @@
 .br
 Listens on the specified address and port for encrypted connections.
 .TP 5
+SSLOptions None
+.TP 5
+SSLOptions NoEmptyFragments
+.br
+Sets SSL/TLS protocol options for encrypted connections.
+.TP 5
 SSLPort
 .br
 Listens on the specified port for encrypted connections.
Index: CHANGES.txt
===================================================================
--- CHANGES.txt	(revision 7934)
+++ CHANGES.txt	(working copy)
@@ -4,6 +4,8 @@
 CHANGES IN CUPS V1.4b1
 
 	- Documentation updates (STR #2567)
+	- Added a SSLOptions directive to allow Windows clients to
+	  talk to CUPS in FIPS mode (STR #2827)
 	- Renamed the accept and reject commands to cupsaccept and
 	  cupsreject; the old names are still available (STR #2936)
 	- The locale/translate utility needed an update to work with
Index: scheduler/client.c
===================================================================
--- scheduler/client.c	(revision 7934)
+++ scheduler/client.c	(working copy)
@@ -3080,6 +3080,8 @@
   context = SSL_CTX_new(SSLv23_server_method());
 
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+  if (SSLOptions & CUPSD_SSL_NOEMPTY)
+    SSL_CTX_set_options(context, SSL_OP_DONTS_INSERT_EMPTY_FRAGMENTS);
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate,
                                      SSL_FILETYPE_PEM);
Index: scheduler/client.h
===================================================================
--- scheduler/client.h	(revision 7934)
+++ scheduler/client.h	(working copy)
@@ -17,6 +17,7 @@
 #  include <Security/Authorization.h>
 #endif /* HAVE_AUTHORIZATION_H */
 
+
 /*
  * HTTP client structure...
  */
Index: scheduler/conf.c
===================================================================
--- scheduler/conf.c	(revision 7934)
+++ scheduler/conf.c	(working copy)
@@ -549,6 +549,7 @@
   DefaultAuthType       = CUPSD_AUTH_BASIC;
 #ifdef HAVE_SSL
   DefaultEncryption     = HTTP_ENCRYPT_REQUIRED;
+  SSLOptions            = CUPSD_SSL_NONE;
 #endif /* HAVE_SSL */
   DirtyCleanInterval    = DEFAULT_KEEPALIVE;
   JobRetryLimit         = 5;
@@ -3200,6 +3201,21 @@
 	                "Missing value for SetEnv directive on line %d.",
 	                linenum);
     }
+    else if (!strcasecmp(line, "SSLOptions"))
+    {
+     /*
+      * SSLOptions options
+      */
+
+      if (!value || !strcasecmp(value, "none"))
+        SSLOptions = CUPSD_SSL_NONE;
+      else if (!strcasecmp(value, "noemptyfragments"))
+        SSLOptions = CUPSD_SSL_NOEMPTY;
+      else
+        cupsdLogMessage(CUPSD_LOG_ERROR,
+	                "Unknown value \"%s\" for SSLOptions directive on "
+			"line %d.", value, linenum);
+    }
     else
     {
      /*
Index: scheduler/conf.h
===================================================================
--- scheduler/conf.h	(revision 7934)
+++ scheduler/conf.h	(working copy)
@@ -67,6 +67,14 @@
 
 
 /*
+ * SSL options (bits)...
+ */
+
+#define CUPSD_SSL_NONE		0	/* No special options */
+#define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
+
+
+/*
  * Globals...
  */
 
@@ -217,6 +225,8 @@
 VAR char		*ServerKey		VALUE(NULL);
 					/* Server key file */
 #  endif /* HAVE_LIBSSL || HAVE_GNUTLS */
+VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
+					/* SSL/TLS options */
 #endif /* HAVE_SSL */
 
 #ifdef HAVE_LAUNCHD