Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL/TLS certificate validation/revocation #1616

Closed
michaelrsweet opened this issue Apr 29, 2006 · 5 comments
Closed

Add SSL/TLS certificate validation/revocation #1616

michaelrsweet opened this issue Apr 29, 2006 · 5 comments
Labels
enhancement New feature or request
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

Version: 2.0-feature
CUPS.org User: mike

The current SSL/TLS support does not so any certificate validation or revocation. Need to add a certificate callback mechanism to the CUPS API which returns accept temporarily, accept permanently, or reject the certificate, and the results should be cached in "~/.cups".

The functionality should be similar to Subversion and ssh...

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: odyx

This STR issue has been pointed out while we were discussing how Debian would handle the license-wise impossibility to build against recent GnuTLS versions on the thread starting on https://lists.debian.org/debian-devel/2014/01/msg00205.html

It would be nice to have this fixed in a proper way a little earlier than in 2.0, what do you think?

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Didier,

Since CUPS 2.0 is removing OpenSSL support entirely, the solution would seem to be to declare GnuTLS and its dependents as system libraries, just like glibc.

(Sadly, we've looked at all of the open source TLS implementations. There really isn't a satisfactory choice, and certainly none that truly avoids the GPL minefield that the FSF has created...)

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

This is implemented for OS X but still needs work for GNU TLS and SSPI.

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

GNU TLS server side stuff is once again working. Just need to finish implementing the cert validation code and we should be good to go.

Windows still needs to be implemented (last on the list, but needed for the IPP Everywhere test suite).

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Fixed in Subversion repository.

For those playing along at home, "man client.conf" for a description of the certificate validation/policy options. Self-signed certificates are tracked automatically so that we can detect when they have changed, ssh-style.

@michaelrsweet michaelrsweet added the enhancement New feature or request label Mar 17, 2016
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant