From: Michael R Sweet Date: Tue, 5 Feb 2019 18:04:13 +0000 (-0500) Subject: Fix a GNU TLS certificate problem (Issue #5506) X-Git-Tag: v2.2.11~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=324a11611ab0025eeb3d49e74c8bdb60c9ca29ec;p=thirdparty%2Fcups.git Fix a GNU TLS certificate problem (Issue #5506) --- diff --git a/CHANGES.md b/CHANGES.md index 5434a98b21..fefebe0d88 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,8 +5,6 @@ CHANGES - 2.2.11 - 2019-02-05 Changes in CUPS v2.2.11 ----------------------- -- The `ippValidateAttribute` function did not catch all instances of invalid - UTF-8 strings (Issue #5509) - Running ppdmerge with the same input and output filenames did not work as advertised (Issue #5455) - Fixed a potential memory leak when reading at the end of a file (Issue #5473) @@ -18,6 +16,10 @@ Changes in CUPS v2.2.11 - The lpadmin command, web interface, and scheduler all queried an IPP Everywhere printer differently, resulting in different PPDs for the same printer (Issue #5484) +- Fixed an issue with the self-signed certificates generated by GNU TLS + (Issue #5506) +- The `ippValidateAttribute` function did not catch all instances of invalid + UTF-8 strings (Issue #5509) - Fixed a potential crash bug in cups-driverd (rdar://46625579) - Fixed a performance regression with large PPDs (rdar://47040759) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 606b45afce..ae4e4d24f6 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1,7 +1,7 @@ /* * TLS support code for CUPS using GNU TLS. * - * Copyright © 2007-2018 by Apple Inc. + * Copyright © 2007-2019 by Apple Inc. * Copyright © 1997-2007 by Easy Software Products, all rights reserved. * * These coded instructions, statements, and computer programs are the @@ -176,7 +176,7 @@ cupsMakeServerCredentials( if (num_alt_names > 0) gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]); gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0); - gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT); + gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); gnutls_x509_crt_set_version(crt, 3); bytes = sizeof(buffer);