Add support for SSL/TLS certificate validation and revocation #3093

michaelrsweet opened this Issue Feb 6, 2009 · 1 comment


None yet
1 participant

michaelrsweet commented Feb 6, 2009

Version: -feature User: mike

CUPS needs to implement SSL/TLS certificate validation and revocation to protect against man-in-the-middle attacks.

As a very basic level we need to implement a system like what SSH has - on first use the user confirms and on subsequent uses we validate against that certificate. It should be possible to provide a list/file of revoked certificates, and unlike SSH it should be possible to replace an existing certificate without manually editing a "known hosts" file (with suitable confirmations, of course).

At the client level (lp, lpr, etc.) there should be a callback API, and revoked certificates should cause a failed connection with cupsLastError and cupsLastErrorString set appropriately.

For remote encrypted printing we'll need to provide something to automatically validate the certificates, possibly by pre-validating when adding the printer?

cupsd-generated certificates can be pre-validated for local accesses that are encrypted.


michaelrsweet commented May 6, 2011 User: mike

Fixed in Subversion repository.

Full support is in place for CDSA on Mac OS X. Other toolkits will be added as time permits.

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment