Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL/TLS certificate validation/revocation #1616

Closed
michaelrsweet opened this issue Apr 29, 2006 · 5 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

commented Apr 29, 2006

Version: 2.0-feature
CUPS.org User: mike

The current SSL/TLS support does not so any certificate validation or revocation. Need to add a certificate callback mechanism to the CUPS API which returns accept temporarily, accept permanently, or reject the certificate, and the results should be cached in "~/.cups".

The functionality should be similar to Subversion and ssh...

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 13, 2014

CUPS.org User: odyx

This STR issue has been pointed out while we were discussing how Debian would handle the license-wise impossibility to build against recent GnuTLS versions on the thread starting on https://lists.debian.org/debian-devel/2014/01/msg00205.html

It would be nice to have this fixed in a proper way a little earlier than in 2.0, what do you think?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 13, 2014

CUPS.org User: mike

Didier,

Since CUPS 2.0 is removing OpenSSL support entirely, the solution would seem to be to declare GnuTLS and its dependents as system libraries, just like glibc.

(Sadly, we've looked at all of the open source TLS implementations. There really isn't a satisfactory choice, and certainly none that truly avoids the GPL minefield that the FSF has created...)

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented May 10, 2014

CUPS.org User: mike

This is implemented for OS X but still needs work for GNU TLS and SSPI.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Jul 8, 2014

CUPS.org User: mike

GNU TLS server side stuff is once again working. Just need to finish implementing the cert validation code and we should be good to go.

Windows still needs to be implemented (last on the list, but needed for the IPP Everywhere test suite).

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Jul 18, 2014

CUPS.org User: mike

Fixed in Subversion repository.

For those playing along at home, "man client.conf" for a description of the certificate validation/policy options. Self-signed certificates are tracked automatically so that we can detect when they have changed, ssh-style.

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.