-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL/TLS certificate validation/revocation #1616
Comments
CUPS.org User: odyx This STR issue has been pointed out while we were discussing how Debian would handle the license-wise impossibility to build against recent GnuTLS versions on the thread starting on https://lists.debian.org/debian-devel/2014/01/msg00205.html It would be nice to have this fixed in a proper way a little earlier than in 2.0, what do you think? |
CUPS.org User: mike Didier, Since CUPS 2.0 is removing OpenSSL support entirely, the solution would seem to be to declare GnuTLS and its dependents as system libraries, just like glibc. (Sadly, we've looked at all of the open source TLS implementations. There really isn't a satisfactory choice, and certainly none that truly avoids the GPL minefield that the FSF has created...) |
CUPS.org User: mike This is implemented for OS X but still needs work for GNU TLS and SSPI. |
CUPS.org User: mike GNU TLS server side stuff is once again working. Just need to finish implementing the cert validation code and we should be good to go. Windows still needs to be implemented (last on the list, but needed for the IPP Everywhere test suite). |
CUPS.org User: mike Fixed in Subversion repository. For those playing along at home, "man client.conf" for a description of the certificate validation/policy options. Self-signed certificates are tracked automatically so that we can detect when they have changed, ssh-style. |
Version: 2.0-feature
CUPS.org User: mike
The current SSL/TLS support does not so any certificate validation or revocation. Need to add a certificate callback mechanism to the CUPS API which returns accept temporarily, accept permanently, or reject the certificate, and the results should be cached in "~/.cups".
The functionality should be similar to Subversion and ssh...
The text was updated successfully, but these errors were encountered: