Move TLS cert validation after the connection is finally established.

diff --git a/CHANGES.txt b/CHANGES.txt
index 576696e6862d2986702dabbd15dfbc9e0e87bfa6..77264e5ac2422813d672b5fbf8772e3611fc2ce8 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,7 @@ CHANGES.txt - 2.2rc1 - 2016-07-07
 CHANGES IN CUPS V2.2rc1
 
        - Updated the list of supported IPP Everywhere media types.
+       - The IPP backend did not validate TLS credentials properly.
 
 
 CHANGES IN CUPS V2.2b2

diff --git a/backend/ipp.c b/backend/ipp.c
index 4f1780c31b514e2114cfe7f461b99bff87c1f131..1ac2eea0754cacfa51b6273669038f03b13fb774 100644 (file)
--- a/backend/ipp.c
+++ b/backend/ipp.c
@@ -688,44 +688,6 @@ main(int  argc,                            /* I - Number of command-line args */
                       0, NULL);
   httpSetTimeout(http, 30.0, timeout_cb, NULL);
 
-  if (httpIsEncrypted(http))
-  {
-   /*
-    * Validate TLS credentials...
-    */
-
-    cups_array_t       *creds;         /* TLS credentials */
-    cups_array_t       *lcreds = NULL; /* Loaded credentials */
-    http_trust_t       trust;          /* Trust level */
-    static const char  *trusts[] = { NULL, "+cups-pki-invalid", "+cups-pki-changed", "+cups-pki-expired", NULL, "+cups-pki-unknown" };
-                                       /* Trust keywords */
-
-    if (!httpCopyCredentials(http, &creds))
-    {
-      trust = httpCredentialsGetTrust(creds, hostname);
-
-      update_reasons(NULL, "-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown");
-      if (trusts[trust])
-      {
-        update_reasons(NULL, trusts[trust]);
-        return (CUPS_BACKEND_STOP);
-      }
-
-      if (httpLoadCredentials(NULL, &lcreds, hostname))
-      {
-       /*
-        * Could not load the credentials, let's save the ones we have so we
-        * can detect changes...
-        */
-
-        httpSaveCredentials(NULL, creds, hostname);
-      }
-
-      httpFreeCredentials(lcreds);
-      httpFreeCredentials(creds);
-    }
-  }
-
  /*
   * See if the printer supports SNMP...
   */
@@ -856,6 +818,53 @@ main(int  argc,                            /* I - Number of command-line args */
   else if (!http)
     return (CUPS_BACKEND_FAILED);
 
+  if (httpIsEncrypted(http))
+  {
+   /*
+    * Validate TLS credentials...
+    */
+
+    cups_array_t       *creds;         /* TLS credentials */
+    cups_array_t       *lcreds = NULL; /* Loaded credentials */
+    http_trust_t       trust;          /* Trust level */
+    static const char  *trusts[] = { NULL, "+cups-pki-invalid", "+cups-pki-changed", "+cups-pki-expired", NULL, "+cups-pki-unknown" };
+                                       /* Trust keywords */
+
+    fputs("DEBUG: Connection is encrypted.\n", stderr);
+
+    if (!httpCopyCredentials(http, &creds))
+    {
+      trust = httpCredentialsGetTrust(creds, hostname);
+
+      fprintf(stderr, "DEBUG: trust=%d\n", (int)trust);
+
+      update_reasons(NULL, "-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown");
+      if (trusts[trust])
+      {
+        update_reasons(NULL, trusts[trust]);
+        return (CUPS_BACKEND_STOP);
+      }
+
+      if (httpLoadCredentials(NULL, &lcreds, hostname))
+      {
+       /*
+        * Could not load the credentials, let's save the ones we have so we
+        * can detect changes...
+        */
+
+        httpSaveCredentials(NULL, creds, hostname);
+      }
+
+      httpFreeCredentials(lcreds);
+      httpFreeCredentials(creds);
+    }
+    else
+    {
+      update_reasons(NULL, "cups-pki-unknown");
+      return (CUPS_BACKEND_STOP);
+    }
+  }
+
   update_reasons(NULL, "-connecting-to-device");
   _cupsLangPrintFilter(stderr, "INFO", _("Connected to printer."));