0, NULL);
httpSetTimeout(http, 30.0, timeout_cb, NULL);
+ if (httpIsEncrypted(http))
+ {
+ /*
+ * Validate TLS credentials...
+ */
+
+ cups_array_t *creds; /* TLS credentials */
+ http_trust_t trust; /* Trust level */
+ static const char *trusts[] = { NULL, "+cups-pki-invalid", "+cups-pki-changed", "+cups-pki-expired", NULL, "+cups-pki-unknown" };
+ /* Trust keywords */
+
+ if (!httpCopyCredentials(http, &creds))
+ {
+ trust = httpCredentialsGetTrust(creds, hostname);
+
+ update_reasons(NULL, "-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown");
+ if (trusts[trust])
+ {
+ update_reasons(NULL, trusts[trust]);
+ return (CUPS_BACKEND_STOP);
+ }
+
+ httpFreeCredentials(creds);
+ }
+ }
+
/*
* See if the printer supports SNMP...
*/
const char *cups_gssservicename,
#endif /* HAVE_GSSAPI */
const char *cups_anyroot,
- const char *cups_expiredcerts);
+ const char *cups_expiredcerts,
+ const char *cups_validatecerts);
/*
*cups_gssservicename, /* CUPS_GSSSERVICENAME env var */
#endif /* HAVE_GSSAPI */
*cups_anyroot, /* CUPS_ANYROOT env var */
- *cups_expiredcerts; /* CUPS_EXPIREDCERTS env var */
+ *cups_expiredcerts, /* CUPS_EXPIREDCERTS env var */
+ *cups_validatecerts; /* CUPS_VALIDATECERTS env var */
char filename[1024]; /* Filename */
_cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
#endif /* HAVE_GSSAPI */
cups_anyroot = getenv("CUPS_ANYROOT");
cups_expiredcerts = getenv("CUPS_EXPIREDCERTS");
+ cups_validatecerts = getenv("CUPS_VALIDATECERTS");
if ((cups_user = getenv("CUPS_USER")) == NULL)
{
#ifdef HAVE_GSSAPI
cups_gssservicename,
#endif /* HAVE_GSSAPI */
- cups_anyroot, cups_expiredcerts);
+ cups_anyroot, cups_expiredcerts, cups_validatecerts);
cupsFileClose(fp);
}
}
/* I - CUPS_GSSSERVICENAME env var */
#endif /* HAVE_GSSAPI */
const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
- const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
+ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
+ const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */
{
int linenum; /* Current line number */
char line[1024], /* Line from file */
#endif /* !__APPLE__ */
user[256], /* User value */
any_root[1024], /* AllowAnyRoot value */
- expired_certs[1024]; /* AllowExpiredCerts value */
+ expired_certs[1024], /* AllowExpiredCerts value */
+ validate_certs[1024]; /* ValidateCerts value */
#ifdef HAVE_GSSAPI
char gss_service_name[32]; /* GSSServiceName value */
#endif /* HAVE_GSSAPI */
strlcpy(expired_certs, value, sizeof(expired_certs));
cups_expiredcerts = expired_certs;
}
+ else if (!cups_validatecerts && !_cups_strcasecmp(line, "ValidateCerts") && value)
+ {
+ strlcpy(validate_certs, value, sizeof(validate_certs));
+ cups_validatecerts = validate_certs;
+ }
#ifdef HAVE_GSSAPI
else if (!cups_gssservicename && !_cups_strcasecmp(line, "GSSServiceName") &&
value)
cg->expired_certs = !_cups_strcasecmp(cups_expiredcerts, "yes") ||
!_cups_strcasecmp(cups_expiredcerts, "on") ||
!_cups_strcasecmp(cups_expiredcerts, "true");
+
+ if (cups_validatecerts)
+ cg->validate_certs = !_cups_strcasecmp(cups_validatecerts, "yes") ||
+ !_cups_strcasecmp(cups_validatecerts, "on") ||
+ !_cups_strcasecmp(cups_validatecerts, "true");
}
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH client.conf 5 "CUPS" "16 April 2014" "Apple Inc."
+.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc."
.SH NAME
client.conf \- client configuration file for cups (deprecated)
.SH DESCRIPTION
.SS DIRECTIVES
The following directives are understood by the client. Consult the online help for detailed descriptions:
.TP 5
-\fBAllowAnyRoot Y\fR
+\fBAllowAnyRoot Yes\fR
.TP 5
-\fBAllowAnyRoot N\fR
+\fBAllowAnyRoot No\fR
Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
-The default is "Y".
+The default is "Yes".
.TP 5
-\fBAllowExpiredCerts Y\fR
+\fBAllowExpiredCerts Yes\fR
.TP 5
-\fBAllowExpiredCerts N\fR
+\fBAllowExpiredCerts No\fR
Specifies whether to allow TLS with expired certificates.
-The default is "Y".
+The default is "Yes".
.TP 5
\fBEncryption IfRequested\fR
.TP 5
.TP 5
\fBUser \fIname\fR
Specifies the default user name to use for requests.
+.TP 5
+\fBValidateCerts Yes\fR
+.TP 5
+\fBValidateCerts No\fR
+Specifies whether to only allow TLS with certificates whose common name matches the hostname.
+The default is "No".
.SH NOTES
The \fBclient.conf\fR file is deprecated and will no longer be supported in a future version of CUPS.
.SH SEE ALSO