Add support for SSL/TLS certificate validation and revocation #3093

michaelrsweet opened this Issue Feb 6, 2009 · 1 comment


None yet
1 participant

michaelrsweet commented Feb 6, 2009

Version: -feature User: mike

CUPS needs to implement SSL/TLS certificate validation and revocation to protect against man-in-the-middle attacks.

As a very basic level we need to implement a system like what SSH has - on first use the user confirms and on subsequent uses we validate against that certificate. It should be possible to provide a list/file of revoked certificates, and unlike SSH it should be possible to replace an existing certificate without manually editing a "known hosts" file (with suitable confirmations, of course).

At the client level (lp, lpr, etc.) there should be a callback API, and revoked certificates should cause a failed connection with cupsLastError and cupsLastErrorString set appropriately.

For remote encrypted printing we'll need to provide something to automatically validate the certificates, possibly by pre-validating when adding the printer?

cupsd-generated certificates can be pre-validated for local accesses that are encrypted.


michaelrsweet commented May 6, 2011 User: mike

Fixed in Subversion repository.

Full support is in place for CDSA on Mac OS X. Other toolkits will be added as time permits.

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment