summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
authorTobias Geerinckx-Rice <me@tobias.gr>2019-08-27 08:48:27 +0200
committerTobias Geerinckx-Rice <me@tobias.gr>2019-08-27 08:49:14 +0200
commitf9c1ebdb7daea30ceaf73f43bf15c222dc4a58ad (patch)
tree04e508cae2726190c2b42af0a294b1e97ba6e7f3 /doc
parent32e18e9b9471e863e5857a89683f358bfb91c157 (diff)
downloadguix-f9c1ebdb7daea30ceaf73f43bf15c222dc4a58ad.tar.gz
services: cups: Complete SSL-OPTIONS.
…except for ‘AllowDH’, which makes no sense on GNU TLS systems.

* gnu/services/cups.scm (ssl-options?): Validate ‘DenyCBC’ and
‘DenyTLS1.0’.
* doc/guix.texi (Printing Services): Document them both.
Diffstat (limited to 'doc')
-rw-r--r--doc/guix.texi15
1 files changed, 9 insertions, 6 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 6499b39ebf..90b2deb251 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -49,7 +49,7 @@ Copyright @copyright{} 2017 Christopher Allan Webber@*
 Copyright @copyright{} 2017, 2018 Marius Bakke@*
 Copyright @copyright{} 2017 Hartmut Goebel@*
 Copyright @copyright{} 2017 Maxim Cournoyer@*
-Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@*
+Copyright @copyright{} 2017, 2018, 2019 Tobias Geerinckx-Rice@*
 Copyright @copyright{} 2017 George Clemmer@*
 Copyright @copyright{} 2017 Andy Wingo@*
 Copyright @copyright{} 2017, 2018, 2019 Arun Isaac@*
@@ -14757,11 +14757,14 @@ Defaults to @samp{()}.
 
 @deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
 Sets encryption options.  By default, CUPS only supports encryption
-using TLS v1.0 or higher using known secure cipher suites.  The
-@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
-required for some older clients that do not implement newer ones.  The
-@code{AllowSSL3} option enables SSL v3.0, which is required for some
-older clients that do not support TLS v1.0.
+using TLS v1.0 or higher using known secure cipher suites.  Security is
+reduced when @code{Allow} options are used, and enhanced when @code{Deny}
+options are used.  The @code{AllowRC4} option enables the 128-bit RC4 cipher
+suites, which are required for some older clients.  The @code{AllowSSL3} option
+enables SSL v3.0, which is required for some older clients that do not support
+TLS v1.0.  The @code{DenyCBC} option disables all CBC cipher suites.  The
+@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
+protocol version to TLS v1.1.
 
 Defaults to @samp{()}.
 @end deftypevr