Add CreateSelfSignedCerts directive for cups-files.conf (Issue #4876)

author Michael Sweet <michael.r.sweet@gmail.com>

Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)

committer Michael Sweet <michael.r.sweet@gmail.com>

Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)
author Michael Sweet <michael.r.sweet@gmail.com>
Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)
committer Michael Sweet <michael.r.sweet@gmail.com>
Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)
diff --git a/CHANGES.txt b/CHANGES.txt

index 838e96d2bfd0d9279e57d98050b82d0217bfeb37..787f3e21c0927080550dfcef943041be50469468 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,13 @@
-CHANGES.txt - 2.2.0 - 2016-09-09
+CHANGES.txt - 2.2.1 - 2016-09-19
  --------------------------------
  
+CHANGES IN CUPS V2.2.1
+
+       - Added "CreateSelfSignedCerts" directive for cups-files.conf to
+          control whether the scheduler automatically creates its own
+          self-signed X.509 certificates for TLS connections (Issue #4876)
+
+
  CHANGES IN CUPS V2.2.0
  
         - Normalized the TLS certificate validation code and added additional
diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in

index df001fba36284534728e8265166c2b10f2d01fe8..8e6218495d87044833610303859e0db15b1d2e75 100644 (file)
--- a/man/cups-files.conf.man.in
+++ b/man/cups-files.conf.man.in
@@ -10,7 +10,7 @@
  .\" which should have been included with this file.  If this file is
  .\" file is missing or damaged, see the license at "http://www.cups.org/".
  .\"
-.TH cups-files.conf 5 "CUPS" "20 June 2016" "Apple Inc."
+.TH cups-files.conf 5 "CUPS" "19 September 2016" "Apple Inc."
  .SH NAME
  cups\-files.conf \- file and directory configuration file for cups
  .SH DESCRIPTION
@@ -54,6 +54,13 @@ The default is "0644" on macOS and "0640" on all other operating systems.
  \fBNote:\fR The permissions for the \fIprinters.conf\fR file are currently masked to only allow access from the scheduler user (typically root).
  This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
  There is no way to disable this security feature.
+.\"#CreateSelfSignedCerts
+.TP 5
+\fBCreateSelfSignedCerts yes\fR
+.TP 5
+\fBCreateSelfSignedCerts no\fR
+Specifies whether the scheduler automatically creates self-signed certificates for client connections using TLS.
+The default is yes.
  .\"#DataDir
  .TP 5
  \fBDataDir \fIpath\fR
diff --git a/scheduler/conf.c b/scheduler/conf.c

index 088501e883e2fe2a986dbd76b78076c822d0cb0e..8110cb475c1a639c6f991161e5adb933b2c98971 100644 (file)
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -138,6 +138,9 @@ static const cupsd_var_t    cupsfiles_vars[] =
    { "AccessLog",               &AccessLog,             CUPSD_VARTYPE_STRING },
    { "CacheDir",                        &CacheDir,              CUPSD_VARTYPE_STRING },
    { "ConfigFilePerm",          &ConfigFilePerm,        CUPSD_VARTYPE_PERM },
+#ifdef HAVE_SSL
+  { "CreateSelfSignedCerts",   &CreateSelfSignedCerts, CUPSD_VARTYPE_BOOLEAN },
+#endif /* HAVE_SSL */
    { "DataDir",                 &DataDir,               CUPSD_VARTYPE_STRING },
    { "DocumentRoot",            &DocumentRoot,          CUPSD_VARTYPE_STRING },
    { "ErrorLog",                        &ErrorLog,              CUPSD_VARTYPE_STRING },
@@ -739,6 +742,7 @@ cupsdReadConfiguration(void)
    FatalErrors              = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);
    default_auth_type        = CUPSD_AUTH_BASIC;
  #ifdef HAVE_SSL
+  CreateSelfSignedCerts    = TRUE;
    DefaultEncryption        = HTTP_ENCRYPT_REQUIRED;
  #endif /* HAVE_SSL */
    DirtyCleanInterval       = DEFAULT_KEEPALIVE;
@@ -1181,7 +1185,9 @@ cupsdReadConfiguration(void)
      cupsdSetStringf(&ServerKeychain, "%s/%s", ServerRoot, ServerKeychain);
  
    cupsdLogMessage(CUPSD_LOG_DEBUG, "Using keychain \"%s\" for server name \"%s\".", ServerKeychain, ServerName);
-  cupsSetServerCredentials(ServerKeychain, ServerName, 1);
+  if (!CreateSelfSignedCerts)
+    cupsdLogMessage(CUPSD_LOG_DEBUG, "Self-signed TLS certificate generation is disabled.");
+  cupsSetServerCredentials(ServerKeychain, ServerName, CreateSelfSignedCerts);
  #endif /* HAVE_SSL */
  
   /*
diff --git a/scheduler/conf.h b/scheduler/conf.h

index 80250d94d212097c1a39d644312e0a5c1d5fd3f0..585ba920300693c2033beb171fb5ae3ea0d31b69 100644 (file)
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
@@ -240,6 +240,8 @@ VAR const char              **MimeTypes             VALUE(NULL);
                                         /* Array of MIME types */
  
  #ifdef HAVE_SSL
+VAR int                        CreateSelfSignedCerts   VALUE(TRUE);
+                                       /* Automatically create self-signed certs? */
  VAR char               *ServerKeychain         VALUE(NULL);
                                         /* Keychain holding cert + key */
  #endif /* HAVE_SSL */
author	Michael Sweet <michael.r.sweet@gmail.com>
	Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)
committer	Michael Sweet <michael.r.sweet@gmail.com>
	Mon, 19 Sep 2016 14:42:12 +0000 (10:42 -0400)
CHANGES.txt		patch \| blob \| blame \| history
man/cups-files.conf.man.in		patch \| blob \| blame \| history
scheduler/conf.c		patch \| blob \| blame \| history
scheduler/conf.h		patch \| blob \| blame \| history