From: Michael Sweet Date: Tue, 20 Sep 2016 19:59:38 +0000 (-0400) Subject: Use self-signed certificates over CA-signed ones (Issue #4870) X-Git-Tag: v2.2.1~9^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b98e44eef0730b12dca4bed16670f2098ce86ac;p=thirdparty%2Fcups.git Use self-signed certificates over CA-signed ones (Issue #4870) --- diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index d5e639ea78..9941e51e53 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1371,34 +1371,46 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ if (hostname[0]) { /* - * First look for CA certs... + * First look in the CUPS keystore... */ - snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname); - snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname); - - if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL) - { - /* - * Try just domain name... - */ - - hostptr ++; - if (strchr(hostptr, '.')) - { - snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr); - snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr); - } - } + http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt"); + http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key"); if (access(crtfile, R_OK) || access(keyfile, R_OK)) { /* - * Then look in the CUPS keystore... - */ - - http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt"); - http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key"); + * No CUPS-managed certs, look for CA certs... + */ + + char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */ + + snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname); + snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname); + + if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL) + { + /* + * Try just domain name... + */ + + hostptr ++; + if (strchr(hostptr, '.')) + { + snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr); + snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr); + } + } + + if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK)) + { + /* + * Use the CA certs... + */ + + strlcpy(crtfile, cacrtfile, sizeof(crtfile)); + strlcpy(keyfile, cakeyfile, sizeof(keyfile)); + } } have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK); @@ -1406,34 +1418,46 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ else if (tls_common_name) { /* - * First look for CA certs... + * First look in the CUPS keystore... */ - snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name); - snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name); - - if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL) - { - /* - * Try just domain name... - */ - - hostptr ++; - if (strchr(hostptr, '.')) - { - snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr); - snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr); - } - } + http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt"); + http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key"); if (access(crtfile, R_OK) || access(keyfile, R_OK)) { /* - * Then look in the CUPS keystore... - */ - - http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt"); - http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key"); + * No CUPS-managed certs, look for CA certs... + */ + + char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */ + + snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name); + snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name); + + if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL) + { + /* + * Try just domain name... + */ + + hostptr ++; + if (strchr(hostptr, '.')) + { + snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr); + snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr); + } + } + + if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK)) + { + /* + * Use the CA certs... + */ + + strlcpy(crtfile, cacrtfile, sizeof(crtfile)); + strlcpy(keyfile, cakeyfile, sizeof(keyfile)); + } } have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);