FIPS-140 (among other "standards") does not allow the use of the old MD5 hash for cryptographic purposes. While GNU TLS is adopting an all-or-nothing strategy (never use MD5 for any purpose when in FIPS-140 mode), that strategy ignores non-crypto uses of MD5 (e.g. UUID generation) where its weaknesses are not an issue.

Since CUPS already exposes a number of security-related configuration options in client.conf, we should add another option that controls whether MD5 is allowed with Digest authentication. CUPS already prefers more secure hashes when the printer supports them so the only effective change here would be to allow configurations to break existing printers that require Digest authentication but do not implement newer hashes.

Proposed option:

DigestOptions {None|DenyMD5}