2 * TLS check program for CUPS.
4 * Copyright 2007-2017 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
7 * These coded instructions, statements, and computer programs are the
8 * property of Apple Inc. and are protected by Federal copyright
9 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
10 * which should have been included with this file. If this file is
11 * missing or damaged, see the license at "http://www.cups.org/".
13 * This file is subject to the Apple OS-Developed Software exception.
17 * Include necessary headers...
20 #include "cups-private.h"
24 int main(void) { puts("Sorry, no TLS support compiled in."); return (1); }
31 static void usage(void);
35 * 'main()' - Main entry.
38 int /* O - Exit status */
39 main(int argc, /* I - Number of command-line arguments */
40 char *argv[]) /* I - Command-line arguments */
42 int i; /* Looping var */
43 http_t *http; /* HTTP connection */
44 const char *server = NULL; /* Hostname from command-line */
45 int port = 0; /* Port number */
46 const char *cipherName = "UNKNOWN";/* Cipher suite name */
47 int dhBits = 0; /* Diffie-Hellman bits */
48 int tlsVersion = 0; /* TLS version number */
49 char uri[1024], /* Printer URI */
50 scheme[32], /* URI scheme */
51 host[256], /* Hostname */
52 userpass[256], /* Username/password */
53 resource[256]; /* Resource path */
54 int af = AF_UNSPEC, /* Address family */
55 tls_options = _HTTP_TLS_NONE,
57 tls_min_version = _HTTP_TLS_1_0,
58 tls_max_version = _HTTP_TLS_MAX,
59 verbose = 0; /* Verbosity */
60 ipp_t *request, /* IPP Get-Printer-Attributes request */
61 *response; /* IPP Get-Printer-Attributes response */
62 ipp_attribute_t *attr; /* Current attribute */
63 const char *name; /* Attribute name */
64 char value[1024]; /* Attribute (string) value */
65 static const char * const pattrs[] = /* Requested attributes */
68 "compression-supported",
69 "document-format-supported",
72 "printer-make-and-model",
74 "printer-state-reasons",
76 "uri-authentication-supported",
77 "uri-security-supported"
81 for (i = 1; i < argc; i ++)
83 if (!strcmp(argv[i], "--dh"))
85 tls_options |= _HTTP_TLS_ALLOW_DH;
87 else if (!strcmp(argv[i], "--no-cbc"))
89 tls_options |= _HTTP_TLS_DENY_CBC;
91 else if (!strcmp(argv[i], "--no-tls10"))
93 tls_min_version = _HTTP_TLS_1_1;
95 else if (!strcmp(argv[i], "--tls10"))
97 tls_min_version = _HTTP_TLS_1_0;
98 tls_max_version = _HTTP_TLS_1_0;
100 else if (!strcmp(argv[i], "--tls11"))
102 tls_min_version = _HTTP_TLS_1_1;
103 tls_max_version = _HTTP_TLS_1_1;
105 else if (!strcmp(argv[i], "--tls12"))
107 tls_min_version = _HTTP_TLS_1_2;
108 tls_max_version = _HTTP_TLS_1_2;
110 else if (!strcmp(argv[i], "--tls13"))
112 tls_min_version = _HTTP_TLS_1_3;
113 tls_max_version = _HTTP_TLS_1_3;
115 else if (!strcmp(argv[i], "--rc4"))
117 tls_options |= _HTTP_TLS_ALLOW_RC4;
119 else if (!strcmp(argv[i], "--verbose") || !strcmp(argv[i], "-v"))
123 else if (!strcmp(argv[i], "-4"))
127 else if (!strcmp(argv[i], "-6"))
131 else if (argv[i][0] == '-')
133 printf("tlscheck: Unknown option '%s'.\n", argv[i]);
138 if (!strncmp(argv[i], "ipps://", 7))
140 httpSeparateURI(HTTP_URI_CODING_ALL, argv[i], scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
146 strlcpy(resource, "/ipp/print", sizeof(resource));
149 else if (!port && (argv[i][0] == '=' || isdigit(argv[i][0] & 255)))
151 if (argv[i][0] == '=')
152 port = atoi(argv[i] + 1);
154 port = atoi(argv[i]);
158 printf("tlscheck: Unexpected argument '%s'.\n", argv[i]);
169 _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
171 http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
174 printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
179 SSLProtocol protocol;
180 SSLCipherSuite cipher;
181 char unknownCipherName[256];
182 int paramsNeeded = 0;
187 if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr)
189 printf("%s: ERROR (No protocol version - %d)\n", server, (int)err);
205 case kTLSProtocol11 :
208 case kTLSProtocol12 :
213 if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr)
215 printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err);
222 case TLS_NULL_WITH_NULL_NULL:
223 cipherName = "TLS_NULL_WITH_NULL_NULL";
225 case TLS_RSA_WITH_NULL_MD5:
226 cipherName = "TLS_RSA_WITH_NULL_MD5";
228 case TLS_RSA_WITH_NULL_SHA:
229 cipherName = "TLS_RSA_WITH_NULL_SHA";
231 case TLS_RSA_WITH_RC4_128_MD5:
232 cipherName = "TLS_RSA_WITH_RC4_128_MD5";
234 case TLS_RSA_WITH_RC4_128_SHA:
235 cipherName = "TLS_RSA_WITH_RC4_128_SHA";
237 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
238 cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
240 case TLS_RSA_WITH_NULL_SHA256:
241 cipherName = "TLS_RSA_WITH_NULL_SHA256";
243 case TLS_RSA_WITH_AES_128_CBC_SHA256:
244 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256";
246 case TLS_RSA_WITH_AES_256_CBC_SHA256:
247 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256";
249 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
250 cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
253 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
254 cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
257 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
258 cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
261 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
262 cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
265 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
266 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
269 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
270 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
273 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
274 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
277 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
278 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
281 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
282 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
285 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
286 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
289 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
290 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
293 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
294 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
297 case TLS_DH_anon_WITH_RC4_128_MD5:
298 cipherName = "TLS_DH_anon_WITH_RC4_128_MD5";
301 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
302 cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
305 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
306 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
309 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
310 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
313 case TLS_PSK_WITH_RC4_128_SHA:
314 cipherName = "TLS_PSK_WITH_RC4_128_SHA";
316 case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
317 cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
319 case TLS_PSK_WITH_AES_128_CBC_SHA:
320 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA";
322 case TLS_PSK_WITH_AES_256_CBC_SHA:
323 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA";
325 case TLS_DHE_PSK_WITH_RC4_128_SHA:
326 cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA";
329 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
330 cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
333 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
334 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
337 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
338 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
341 case TLS_RSA_PSK_WITH_RC4_128_SHA:
342 cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA";
344 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
345 cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
347 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
348 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
350 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
351 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
353 case TLS_PSK_WITH_NULL_SHA:
354 cipherName = "TLS_PSK_WITH_NULL_SHA";
356 case TLS_DHE_PSK_WITH_NULL_SHA:
357 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA";
360 case TLS_RSA_PSK_WITH_NULL_SHA:
361 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA";
363 case TLS_RSA_WITH_AES_128_GCM_SHA256:
364 cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256";
366 case TLS_RSA_WITH_AES_256_GCM_SHA384:
367 cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384";
369 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
370 cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
373 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
374 cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
377 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
378 cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
381 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
382 cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
385 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
386 cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
389 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
390 cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
393 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
394 cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
397 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
398 cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
401 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
402 cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
405 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
406 cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
409 case TLS_PSK_WITH_AES_128_GCM_SHA256:
410 cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256";
412 case TLS_PSK_WITH_AES_256_GCM_SHA384:
413 cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384";
415 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
416 cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
419 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
420 cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
423 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
424 cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
426 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
427 cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384";
429 case TLS_PSK_WITH_AES_128_CBC_SHA256:
430 cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256";
432 case TLS_PSK_WITH_AES_256_CBC_SHA384:
433 cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384";
435 case TLS_PSK_WITH_NULL_SHA256:
436 cipherName = "TLS_PSK_WITH_NULL_SHA256";
438 case TLS_PSK_WITH_NULL_SHA384:
439 cipherName = "TLS_PSK_WITH_NULL_SHA384";
441 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
442 cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
445 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
446 cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
449 case TLS_DHE_PSK_WITH_NULL_SHA256:
450 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256";
453 case TLS_DHE_PSK_WITH_NULL_SHA384:
454 cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384";
457 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
458 cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
460 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
461 cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
463 case TLS_RSA_PSK_WITH_NULL_SHA256:
464 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256";
466 case TLS_RSA_PSK_WITH_NULL_SHA384:
467 cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384";
469 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
470 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
473 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
474 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
477 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
478 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
481 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
482 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
485 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
486 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
489 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
490 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
493 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
494 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
497 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
498 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
501 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
502 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
505 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
506 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
509 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
510 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
513 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
514 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
517 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
518 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
521 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
522 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
525 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
526 cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
529 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
530 cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
533 case TLS_RSA_WITH_AES_128_CBC_SHA:
534 cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA";
536 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
537 cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
540 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
541 cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
544 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
545 cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
548 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
549 cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
552 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
553 cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA";
556 case TLS_RSA_WITH_AES_256_CBC_SHA:
557 cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA";
559 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
560 cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
563 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
564 cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
567 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
568 cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
571 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
572 cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
575 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
576 cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA";
579 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
580 cipherName = "TLS_ECDH_ECDSA_WITH_NULL_SHA";
583 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
584 cipherName = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
587 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
588 cipherName = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
591 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
592 cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
595 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
596 cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
599 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
600 cipherName = "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
603 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
604 cipherName = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
607 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
608 cipherName = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
611 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
612 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
615 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
616 cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
619 case TLS_ECDH_RSA_WITH_NULL_SHA:
620 cipherName = "TLS_ECDH_RSA_WITH_NULL_SHA";
623 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
624 cipherName = "TLS_ECDH_RSA_WITH_RC4_128_SHA";
627 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
628 cipherName = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
631 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
632 cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
635 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
636 cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
639 case TLS_ECDHE_RSA_WITH_NULL_SHA:
640 cipherName = "TLS_ECDHE_RSA_WITH_NULL_SHA";
643 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
644 cipherName = "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
647 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
648 cipherName = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
651 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
652 cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
655 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
656 cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
659 case TLS_ECDH_anon_WITH_NULL_SHA:
660 cipherName = "TLS_ECDH_anon_WITH_NULL_SHA";
663 case TLS_ECDH_anon_WITH_RC4_128_SHA:
664 cipherName = "TLS_ECDH_anon_WITH_RC4_128_SHA";
667 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
668 cipherName = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
671 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
672 cipherName = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
675 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
676 cipherName = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
680 snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher);
681 cipherName = unknownCipherName;
685 if (cipher == TLS_RSA_WITH_RC4_128_MD5 ||
686 cipher == TLS_RSA_WITH_RC4_128_SHA)
688 printf("%s: ERROR (Printers MUST NOT negotiate RC4 cipher suites.)\n", server);
693 if ((err = SSLGetDiffieHellmanParams(http->tls, ¶ms, ¶msLen)) != noErr && paramsNeeded)
695 printf("%s: ERROR (Unable to get Diffie-Hellman parameters - %d)\n", server, (int)err);
700 if (paramsLen < 128 && paramsLen != 0)
702 printf("%s: ERROR (Diffie-Hellman parameters MUST be at least 2048 bits, but Printer uses only %d bits/%d bytes)\n", server, (int)paramsLen * 8, (int)paramsLen);
707 dhBits = (int)paramsLen * 8;
708 #endif /* __APPLE__ */
711 printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits);
713 printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
717 httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
718 request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
719 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
720 ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
721 ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(pattrs) / sizeof(pattrs[0])), NULL, pattrs);
723 response = cupsDoRequest(http, request, resource);
725 for (attr = ippFirstAttribute(response); attr; attr = ippNextAttribute(response))
727 if (ippGetGroupTag(attr) != IPP_TAG_PRINTER)
730 if ((name = ippGetName(attr)) == NULL)
733 ippAttributeString(attr, value, sizeof(value));
734 printf(" %s=%s\n", name, value);
747 * 'usage()' - Show program usage.
753 puts("Usage: ./tlscheck [options] server [port]");
754 puts(" ./tlscheck [options] ipps://server[:port]/path");
757 puts(" --dh Allow DH/DHE key exchange");
758 puts(" --no-cbc Disable CBC cipher suites");
759 puts(" --no-tls10 Disable TLS/1.0");
760 puts(" --rc4 Allow RC4 encryption");
761 puts(" --tls10 Only use TLS/1.0");
762 puts(" --tls11 Only use TLS/1.1");
763 puts(" --tls12 Only use TLS/1.2");
764 puts(" --tls13 Only use TLS/1.3");
765 puts(" --verbose Be verbose");
766 puts(" -4 Connect using IPv4 addresses only");
767 puts(" -6 Connect using IPv6 addresses only");
768 puts(" -v Be verbose");
770 puts("The default port is 631.");
774 #endif /* !HAVE_SSL */