Fix a GNU TLS certificate problem (Issue #5506)

diff --git a/CHANGES.md b/CHANGES.md
index 5f72f68eac8f3b1d9134a79e9b509acea1471c69..64784e7fbcce006aa2d24c342c10b9257d9b698d 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -9,6 +9,8 @@ Changes in CUPS v2.3b8
 - Fixed a performance regression with large PPDs (rdar://47040759)
 - The `ippValidateAttribute` function did not catch all instances of invalid
   UTF-8 strings (Issue #5509)
+- Fixed an issue with the self-signed certificates generated by GNU TLS
+  (Issue #5506)
 - Fixed a potential memory leak when reading at the end of a file (Issue #5473)
 - Fixed potential unaligned accesses in the string pool (Issue #5474)
 - Fixed a potential memory leak when loading a PPD file (Issue #5475)

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 05ec8ec7f1a7942930cc847b0a79218a3f371be4..8e45db27b70a2e401081eccc8ae4678573b1be9e 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1,7 +1,7 @@
 /*
  * TLS support code for CUPS using GNU TLS.
  *
- * Copyright © 2007-2018 by Apple Inc.
+ * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
  *
  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
@@ -171,7 +171,7 @@ cupsMakeServerCredentials(
   if (num_alt_names > 0)
     gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
   gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
-  gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
+  gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
   gnutls_x509_crt_set_version(crt, 3);
 
   bytes = sizeof(buffer);