tls-gnutls.c: Use system crypto policy if available

Some Linux systems provide a way how to control cryptography on system or service level via cryptographic policies. OpenSSL implementation reflects system changes to some degree, however GnuTLS implementation does not take system policy into account. GnuTLS supports fallback mechanism, so we can fallback to NORMAL if @System is not defined on the system. Fortunately, the current GnuTLS implementation allows overrides via priority strings (so no "this cipher/hash is disabled" if we enabled them in our application by priority string), so allowing to honor system policy can save us work if someone wants to disable a specific cipher, so we don't have to implement it in libcups.
OpenPrinting · Dec 6, 2024 · 331a202 · 331a202
1 parent 2e3f158
commit 331a202
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,8 +5,10 @@ CHANGES - OpenPrinting CUPS
 Changes in CUPS v2.4.12 (YYYY-MM-DD)
 ------------------------------------
 
+- GnuTLS follows system crypto policies now (Issue #1105)
 - Fixed a compressed file error handling bug (Issue #1070)
 - Fixed a bug in the make-and-model whitespace trimming code (Issue #1096)
+- Fixed a removal of IPP Everywhere permanent queue if installation failed (Issue #1102)
 - Fixed the default User-Agent string.
 - Fixed a recursion issue in `ippReadIO`.
 

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
@@ -1504,7 +1504,7 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
     return (-1);
   }
 
-  strlcpy(priority_string, "NORMAL", sizeof(priority_string));
+  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
 
   if (tls_max_version < _HTTP_TLS_MAX)
   {