Control: tags -1 +upstream Control: forwarded -1 https://github.com/apple/cups/issues/5037 Control: tags -1 +wontfix # Not going to be a Debian-specific patch Le vendredi, 23 juin 2017, 09.42:33 h CEST of.the@protonmail.com a écrit : > * SHA-1 is officially deprecated for HTTPS certificates, but is still used > for cups certificate generation. > * TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially > vulnerable to BEAST attacks. Right. Please see the above link for upstream's discussion. TLSv1.0 is still used by plenty of printers apparently, and I don't really fancy diverging from upstream on crypto code. > I suggest two resolutions to correct this, even though it is understood that > default certificates are self-signed anyway. > > * Generate SHA-2 signed certificates by default. This will lessenthe > additional browser warnings. The CUPS server certificates are setup to be ssl-cert's (see symlinking code in cups-daemon.postinst, so that's a good suggestion for that to be fixed centrally in ssl-cert. > * Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1 > crypto. TLSv1.0 has numerous known, potential security issues with CBC / > SHA-1 suites. All current web clients support TLSv1.2 and so disabling > TSLv1.0 should have no negative effect for local Debian users and is likely > to also have virtually no impact for remote cups users as well accessing the > cups interface remotely. That's definitely not a change I'm going to carry alone. Please convince upstream and I'll make the Debian CUPS follow that! Cheers, OdyX
Attachment:
signature.asc
Description: This is a digitally signed message part.