-CHANGES.txt - 2.2.0 - 2016-09-09
+CHANGES.txt - 2.2.1 - 2016-09-19
--------------------------------
+CHANGES IN CUPS V2.2.1
+
+ - Added "CreateSelfSignedCerts" directive for cups-files.conf to
+ control whether the scheduler automatically creates its own
+ self-signed X.509 certificates for TLS connections (Issue #4876)
+
+
CHANGES IN CUPS V2.2.0
- Normalized the TLS certificate validation code and added additional
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cups-files.conf 5 "CUPS" "20 June 2016" "Apple Inc."
+.TH cups-files.conf 5 "CUPS" "19 September 2016" "Apple Inc."
.SH NAME
cups\-files.conf \- file and directory configuration file for cups
.SH DESCRIPTION
\fBNote:\fR The permissions for the \fIprinters.conf\fR file are currently masked to only allow access from the scheduler user (typically root).
This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
There is no way to disable this security feature.
+.\"#CreateSelfSignedCerts
+.TP 5
+\fBCreateSelfSignedCerts yes\fR
+.TP 5
+\fBCreateSelfSignedCerts no\fR
+Specifies whether the scheduler automatically creates self-signed certificates for client connections using TLS.
+The default is yes.
.\"#DataDir
.TP 5
\fBDataDir \fIpath\fR
{ "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
{ "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
{ "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_PERM },
+#ifdef HAVE_SSL
+ { "CreateSelfSignedCerts", &CreateSelfSignedCerts, CUPSD_VARTYPE_BOOLEAN },
+#endif /* HAVE_SSL */
{ "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
{ "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
{ "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
FatalErrors = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);
default_auth_type = CUPSD_AUTH_BASIC;
#ifdef HAVE_SSL
+ CreateSelfSignedCerts = TRUE;
DefaultEncryption = HTTP_ENCRYPT_REQUIRED;
#endif /* HAVE_SSL */
DirtyCleanInterval = DEFAULT_KEEPALIVE;
cupsdSetStringf(&ServerKeychain, "%s/%s", ServerRoot, ServerKeychain);
cupsdLogMessage(CUPSD_LOG_DEBUG, "Using keychain \"%s\" for server name \"%s\".", ServerKeychain, ServerName);
- cupsSetServerCredentials(ServerKeychain, ServerName, 1);
+ if (!CreateSelfSignedCerts)
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Self-signed TLS certificate generation is disabled.");
+ cupsSetServerCredentials(ServerKeychain, ServerName, CreateSelfSignedCerts);
#endif /* HAVE_SSL */
/*