|
|
|
|
.\"
|
|
|
|
|
.\" client.conf man page for CUPS.
|
|
|
|
|
.\"
|
|
|
|
|
.\" Copyright © 2007-2019 by Apple Inc.
|
|
|
|
|
.\" Copyright © 2006 by Easy Software Products.
|
|
|
|
|
.\"
|
|
|
|
|
.\" Licensed under Apache License v2.0. See the file "LICENSE" for more
|
|
|
|
|
.\" information.
|
|
|
|
|
.\"
|
|
|
|
|
.TH client.conf 5 "CUPS" "15 October 2019" "Apple Inc."
|
|
|
|
|
.SH NAME
|
|
|
|
|
client.conf \- client configuration file for cups (deprecated on macos)
|
|
|
|
|
.SH DESCRIPTION
|
|
|
|
|
The \fBclient.conf\fR file configures the CUPS client and is normally located in the \fI/etc/cups\fR and/or \fI~/.cups\fR directories.
|
|
|
|
|
Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character.
|
|
|
|
|
.LP
|
|
|
|
|
\fBNote:\fR Starting with macOS 10.7, this file is only used by command-line and X11 applications plus the IPP backend.
|
|
|
|
|
The \fBServerName\fR directive is not supported on macOS at all.
|
|
|
|
|
Starting with macOS 10.12, all applications can access these settings in the \fI/Library/Preferences/org.cups.PrintingPrefs.plist\fR file instead.
|
|
|
|
|
See the NOTES section below for more information.
|
|
|
|
|
.SS DIRECTIVES
|
|
|
|
|
The following directives are understood by the client. Consult the online help for detailed descriptions:
|
|
|
|
|
.\"#AllowAnyRoot
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBAllowAnyRoot Yes\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBAllowAnyRoot No\fR
|
|
|
|
|
Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
|
|
|
|
|
The default is "Yes".
|
|
|
|
|
.\"#AllowExpiredCerts
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBAllowExpiredCerts Yes\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBAllowExpiredCerts No\fR
|
|
|
|
|
Specifies whether to allow TLS with expired certificates.
|
|
|
|
|
The default is "No".
|
|
|
|
|
.\"#DigestOptions
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBDigestOptions DenyMD5\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBDigestOptions None\fR
|
|
|
|
|
Specifies HTTP Digest authentication options.
|
|
|
|
|
\fBDenyMD5\fR disables support for the original MD5 hash algorithm.
|
|
|
|
|
.\"#Encryption
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBEncryption IfRequested\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBEncryption Never\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBEncryption Required\fR
|
|
|
|
|
Specifies the level of encryption that should be used.
|
|
|
|
|
.\"#GSSServiceName
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBGSSServiceName \fIname\fR
|
|
|
|
|
Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
|
|
|
|
|
CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
|
|
|
|
|
.\"#ServerName
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBServerName \fI/domain/socket\fR
|
|
|
|
|
Specifies the address and optionally the port to use when connecting to the server.
|
|
|
|
|
\fBNote: This directive is not supported on macOS 10.7 or later.\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
|
|
|
|
|
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
|
|
|
|
|
.\"#SSLOptions
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBSSLOptions None\fR
|
|
|
|
|
Sets encryption options (only in /etc/cups/client.conf).
|
|
|
|
|
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
|
|
|
|
Security is reduced when \fIAllow\fR options are used.
|
|
|
|
|
Security is enhanced when \fIDeny\fR options are used.
|
|
|
|
|
The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
|
|
|
|
|
The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients.
|
|
|
|
|
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
|
|
|
|
The \fIDenyCBC\fR option disables all CBC cipher suites.
|
|
|
|
|
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
|
|
|
|
|
The \fIMinTLS\fR options set the minimum TLS version to support.
|
|
|
|
|
The \fIMaxTLS\fR options set the maximum TLS version to support.
|
|
|
|
|
Not all operating systems support TLS 1.3 at this time.
|
|
|
|
|
.\"#TrustOnFirstUse
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBTrustOnFirstUse Yes\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBTrustOnFirstUse No\fR
|
|
|
|
|
Specifies whether to trust new TLS certificates by default.
|
|
|
|
|
The default is "Yes".
|
|
|
|
|
.\"#User
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUser \fIname\fR
|
|
|
|
|
Specifies the default user name to use for requests.
|
|
|
|
|
.\"#UserAgentTokens
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens None\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens ProductOnly\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens Major\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens Minor\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens Minimal\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens OS\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBUserAgentTokens Full\fR
|
|
|
|
|
Specifies what information is included in the User-Agent header of HTTP requests.
|
|
|
|
|
"None" disables the User-Agent header.
|
|
|
|
|
"ProductOnly" reports "CUPS".
|
|
|
|
|
"Major" reports "CUPS/major IPP/2".
|
|
|
|
|
"Minor" reports "CUPS/major.minor IPP/2.1".
|
|
|
|
|
"Minimal" reports "CUPS/major.minor.patch IPP/2.1".
|
|
|
|
|
"OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
|
|
|
|
|
"Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
|
|
|
|
|
The default is "Minimal".
|
|
|
|
|
.\"#ValidateCerts
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBValidateCerts Yes\fR
|
|
|
|
|
.TP 5
|
|
|
|
|
\fBValidateCerts No\fR
|
|
|
|
|
Specifies whether to only allow TLS with certificates whose common name matches the hostname.
|
|
|
|
|
The default is "No".
|
|
|
|
|
.SH NOTES
|
|
|
|
|
The \fBclient.conf\fR file is deprecated on macOS and will no longer be supported in a future version of CUPS.
|
|
|
|
|
Configuration settings can instead be viewed or changed using the
|
|
|
|
|
.BR defaults (1)
|
|
|
|
|
command:
|
|
|
|
|
.nf
|
|
|
|
|
defaults write /Library/Preferences/org.cups.PrintingPrefs.plist Encryption Required
|
|
|
|
|
defaults write /Library/Preferences/org.cups.PrintingPrefs.plist TrustOnFirstUse -bool NO
|
|
|
|
|
|
|
|
|
|
defaults read /Library/Preferences/org.cups.PrintingPrefs.plist Encryption
|
|
|
|
|
.fi
|
|
|
|
|
On Linux and other systems using GNU TLS, the \fI/etc/cups/ssl/site.crl\fR file, if present, provides a list of revoked X.509 certificates and is used when validating certificates.
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
.BR cups (1),
|
|
|
|
|
.BR default (1),
|
|
|
|
|
CUPS Online Help (http://localhost:631/help)
|
|
|
|
|
.SH COPYRIGHT
|
|
|
|
|
Copyright \[co] 2007-2019 by Apple Inc.
|