services: cups: Complete SSL-OPTIONS.

…except for ‘AllowDH’, which makes no sense on GNU TLS systems.

* gnu/services/cups.scm (ssl-options?): Validate ‘DenyCBC’ and
‘DenyTLS1.0’.
* doc/guix.texi (Printing Services): Document them both.
This commit is contained in:
Tobias Geerinckx-Rice 2019-08-27 08:48:27 +02:00
parent 32e18e9b94
commit f9c1ebdb7d
No known key found for this signature in database
GPG key ID: 0DB0FF884F556D79
2 changed files with 14 additions and 7 deletions

View file

@ -49,7 +49,7 @@ Copyright @copyright{} 2017 Christopher Allan Webber@*
Copyright @copyright{} 2017, 2018 Marius Bakke@* Copyright @copyright{} 2017, 2018 Marius Bakke@*
Copyright @copyright{} 2017 Hartmut Goebel@* Copyright @copyright{} 2017 Hartmut Goebel@*
Copyright @copyright{} 2017 Maxim Cournoyer@* Copyright @copyright{} 2017 Maxim Cournoyer@*
Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@* Copyright @copyright{} 2017, 2018, 2019 Tobias Geerinckx-Rice@*
Copyright @copyright{} 2017 George Clemmer@* Copyright @copyright{} 2017 George Clemmer@*
Copyright @copyright{} 2017 Andy Wingo@* Copyright @copyright{} 2017 Andy Wingo@*
Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@* Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@*
@ -14757,11 +14757,14 @@ Defaults to @samp{()}.
@deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
Sets encryption options. By default, CUPS only supports encryption Sets encryption options. By default, CUPS only supports encryption
using TLS v1.0 or higher using known secure cipher suites. The using TLS v1.0 or higher using known secure cipher suites. Security is
@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are reduced when @code{Allow} options are used, and enhanced when @code{Deny}
required for some older clients that do not implement newer ones. The options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
@code{AllowSSL3} option enables SSL v3.0, which is required for some suites, which are required for some older clients. The @code{AllowSSL3} option
older clients that do not support TLS v1.0. enables SSL v3.0, which is required for some older clients that do not support
TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
protocol version to TLS v1.1.
Defaults to @samp{()}. Defaults to @samp{()}.
@end deftypevr @end deftypevr

View file

@ -3,6 +3,7 @@
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2019 Alex Griffin <a@ajgrf.com> ;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -170,7 +171,10 @@ (define (serialize-boolean-or-non-negative-integer field-name x)
(define (ssl-options? x) (define (ssl-options? x)
(and (list? x) (and (list? x)
(and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x))) (and-map (lambda (elt) (memq elt '(AllowRC4
AllowSSL3
DenyCBC
DenyTLS1.0))) x)))
(define (serialize-ssl-options field-name val) (define (serialize-ssl-options field-name val)
(serialize-field field-name (serialize-field field-name
(match val (match val