1<!DOCTYPE HTML> 2<html> 3<!-- SECTION: Man Pages --> 4<head> 5 <link rel="stylesheet" type="text/css" href="../cups-printable.css"> 6 <title>client.conf(5)</title> 7</head> 8<body> 9<h1 class="title">client.conf(5)</h1> 10<h2 class="title"><a name="NAME">Name</a></h2> 11client.conf - client configuration file for cups (deprecated on macos) 12<h2 class="title"><a name="DESCRIPTION">Description</a></h2> 13The <b>client.conf</b> file configures the CUPS client and is normally located in the <i>/etc/cups</i> and/or <i>~/.cups</i> directories. 14Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. 15<p><b>Note:</b> Starting with macOS 10.7, this file is only used by command-line and X11 applications plus the IPP backend. 16The <b>ServerName</b> directive is not supported on macOS at all. 17Starting with macOS 10.12, all applications can access these settings in the <i>/Library/Preferences/org.cups.PrintingPrefs.plist</i> file instead. 18See the NOTES section below for more information. 19<h3><a name="DIRECTIVES">Directives</a></h3> 20The following directives are understood by the client. Consult the online help for detailed descriptions: 21<dl class="man"> 22<dt><a name="AllowAnyRoot"></a><b>AllowAnyRoot Yes</b> 23<dd style="margin-left: 5.0em"><dt><b>AllowAnyRoot No</b> 24<dd style="margin-left: 5.0em">Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority. 25The default is "Yes". 26<dt><a name="AllowExpiredCerts"></a><b>AllowExpiredCerts Yes</b> 27<dd style="margin-left: 5.0em"><dt><b>AllowExpiredCerts No</b> 28<dd style="margin-left: 5.0em">Specifies whether to allow TLS with expired certificates. 29The default is "No". 30<dt><a name="DigestOptions"></a><b>DigestOptions DenyMD5</b> 31<dd style="margin-left: 5.0em"><dt><b>DigestOptions None</b> 32<dd style="margin-left: 5.0em">Specifies HTTP Digest authentication options. 33<b>DenyMD5</b> disables support for the original MD5 hash algorithm. 34<dt><a name="Encryption"></a><b>Encryption IfRequested</b> 35<dd style="margin-left: 5.0em"><dt><b>Encryption Never</b> 36<dd style="margin-left: 5.0em"><dt><b>Encryption Required</b> 37<dd style="margin-left: 5.0em">Specifies the level of encryption that should be used. 38<dt><a name="GSSServiceName"></a><b>GSSServiceName </b><i>name</i> 39<dd style="margin-left: 5.0em">Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp". 40CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http". 41<dt><a name="ServerName"></a><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>] 42<dd style="margin-left: 5.0em"><dt><b>ServerName </b><i>/domain/socket</i> 43<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to the server. 44<b>Note: This directive is not supported on macOS 10.7 or later.</b> 45<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b> 46<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. 47<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>] 48<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b> 49<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf). 50By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. 51Security is reduced when <i>Allow</i> options are used. 52Security is enhanced when <i>Deny</i> options are used. 53The <i>AllowDH</i> option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS). 54The <i>AllowRC4</i> option enables the 128-bit RC4 cipher suites, which are required for some older clients. 55The <i>AllowSSL3</i> option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. 56The <i>DenyCBC</i> option disables all CBC cipher suites. 57The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. 58The <i>MinTLS</i> options set the minimum TLS version to support. 59The <i>MaxTLS</i> options set the maximum TLS version to support. 60The <i>NoSystem</i> option disables applying system cryptographic policy. 61Not all operating systems support TLS 1.3 at this time. 62<dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b> 63<dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b> 64<dd style="margin-left: 5.0em">Specifies whether to trust new TLS certificates by default. 65The default is "Yes". 66<dt><a name="User"></a><b>User </b><i>name</i> 67<dd style="margin-left: 5.0em">Specifies the default user name to use for requests. 68<dt><a name="UserAgentTokens"></a><b>UserAgentTokens None</b> 69<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens ProductOnly</b> 70<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens Major</b> 71<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens Minor</b> 72<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens Minimal</b> 73<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens OS</b> 74<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens Full</b> 75<dd style="margin-left: 5.0em">Specifies what information is included in the User-Agent header of HTTP requests. 76"None" disables the User-Agent header. 77"ProductOnly" reports "CUPS". 78"Major" reports "CUPS/major IPP/2". 79"Minor" reports "CUPS/major.minor IPP/2.1". 80"Minimal" reports "CUPS/major.minor.patch IPP/2.1". 81"OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1". 82"Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1". 83The default is "Minimal". 84<dt><a name="ValidateCerts"></a><b>ValidateCerts Yes</b> 85<dd style="margin-left: 5.0em"><dt><b>ValidateCerts No</b> 86<dd style="margin-left: 5.0em">Specifies whether to only allow TLS with certificates whose common name matches the hostname. 87The default is "No". 88</dl> 89<h2 class="title"><a name="NOTES">Notes</a></h2> 90The <b>client.conf</b> file is deprecated on macOS and will no longer be supported in a future version of CUPS. 91Configuration settings can instead be viewed or changed using the 92<b>defaults</b>(1) 93command: 94<pre class="man"> 95defaults write /Library/Preferences/org.cups.PrintingPrefs.plist Encryption Required 96defaults write /Library/Preferences/org.cups.PrintingPrefs.plist TrustOnFirstUse -bool NO 97 98defaults read /Library/Preferences/org.cups.PrintingPrefs.plist Encryption 99</pre> 100On Linux and other systems using GNU TLS, the <i>/etc/cups/ssl/site.crl</i> file, if present, provides a list of revoked X.509 certificates and is used when validating certificates. 101<h2 class="title"><a name="SEE_ALSO">See Also</a></h2> 102<a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a> 103<b>default</b>(1), 104CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>) 105<h2 class="title"><a name="COPYRIGHT">Copyright</a></h2> 106Copyright © 2020-2025 by OpenPrinting. 107 108</body> 109</html> 110