From: Michael Sweet Date: Mon, 19 Sep 2016 14:42:12 +0000 (-0400) Subject: Add CreateSelfSignedCerts directive for cups-files.conf (Issue #4876) X-Git-Tag: v2.2.1~10^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efed05629f103469af91bc108f3b3fe02237a50d;p=thirdparty%2Fcups.git Add CreateSelfSignedCerts directive for cups-files.conf (Issue #4876) --- diff --git a/CHANGES.txt b/CHANGES.txt index 838e96d2bf..787f3e21c0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,13 @@ -CHANGES.txt - 2.2.0 - 2016-09-09 +CHANGES.txt - 2.2.1 - 2016-09-19 -------------------------------- +CHANGES IN CUPS V2.2.1 + + - Added "CreateSelfSignedCerts" directive for cups-files.conf to + control whether the scheduler automatically creates its own + self-signed X.509 certificates for TLS connections (Issue #4876) + + CHANGES IN CUPS V2.2.0 - Normalized the TLS certificate validation code and added additional diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in index df001fba36..8e6218495d 100644 --- a/man/cups-files.conf.man.in +++ b/man/cups-files.conf.man.in @@ -10,7 +10,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cups-files.conf 5 "CUPS" "20 June 2016" "Apple Inc." +.TH cups-files.conf 5 "CUPS" "19 September 2016" "Apple Inc." .SH NAME cups\-files.conf \- file and directory configuration file for cups .SH DESCRIPTION @@ -54,6 +54,13 @@ The default is "0644" on macOS and "0640" on all other operating systems. \fBNote:\fR The permissions for the \fIprinters.conf\fR file are currently masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature. +.\"#CreateSelfSignedCerts +.TP 5 +\fBCreateSelfSignedCerts yes\fR +.TP 5 +\fBCreateSelfSignedCerts no\fR +Specifies whether the scheduler automatically creates self-signed certificates for client connections using TLS. +The default is yes. .\"#DataDir .TP 5 \fBDataDir \fIpath\fR diff --git a/scheduler/conf.c b/scheduler/conf.c index 088501e883..8110cb475c 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -138,6 +138,9 @@ static const cupsd_var_t cupsfiles_vars[] = { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING }, { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING }, { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_PERM }, +#ifdef HAVE_SSL + { "CreateSelfSignedCerts", &CreateSelfSignedCerts, CUPSD_VARTYPE_BOOLEAN }, +#endif /* HAVE_SSL */ { "DataDir", &DataDir, CUPSD_VARTYPE_STRING }, { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING }, { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING }, @@ -739,6 +742,7 @@ cupsdReadConfiguration(void) FatalErrors = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS); default_auth_type = CUPSD_AUTH_BASIC; #ifdef HAVE_SSL + CreateSelfSignedCerts = TRUE; DefaultEncryption = HTTP_ENCRYPT_REQUIRED; #endif /* HAVE_SSL */ DirtyCleanInterval = DEFAULT_KEEPALIVE; @@ -1181,7 +1185,9 @@ cupsdReadConfiguration(void) cupsdSetStringf(&ServerKeychain, "%s/%s", ServerRoot, ServerKeychain); cupsdLogMessage(CUPSD_LOG_DEBUG, "Using keychain \"%s\" for server name \"%s\".", ServerKeychain, ServerName); - cupsSetServerCredentials(ServerKeychain, ServerName, 1); + if (!CreateSelfSignedCerts) + cupsdLogMessage(CUPSD_LOG_DEBUG, "Self-signed TLS certificate generation is disabled."); + cupsSetServerCredentials(ServerKeychain, ServerName, CreateSelfSignedCerts); #endif /* HAVE_SSL */ /* diff --git a/scheduler/conf.h b/scheduler/conf.h index 80250d94d2..585ba92030 100644 --- a/scheduler/conf.h +++ b/scheduler/conf.h @@ -240,6 +240,8 @@ VAR const char **MimeTypes VALUE(NULL); /* Array of MIME types */ #ifdef HAVE_SSL +VAR int CreateSelfSignedCerts VALUE(TRUE); + /* Automatically create self-signed certs? */ VAR char *ServerKeychain VALUE(NULL); /* Keychain holding cert + key */ #endif /* HAVE_SSL */