Package: cups Version: 2.2.1-8 * SHA-1 is officially deprecated for HTTPS certificates, but is still used for cups certificate generation. * TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially vulnerable to BEAST attacks.
I suggest two resolutions to correct this, even though it is understood that default certificates are self-signed anyway. * Generate SHA-2 signed certificates by default. This will lessenthe additional browser warnings. * Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1 crypto. TLSv1.0 has numerous known, potential security issues with CBC / SHA-1 suites. All current web clients support TLSv1.2 and so disabling TSLv1.0 should have no negative effect for local Debian users and is likely to also have virtually no impact for remote cups users as well accessing the cups interface remotely. Verified on Debian GNU/Linux 9
