diff options
author | Michael Sweet <michael.r.sweet@gmail.com> | 2016-05-18 14:42:37 -0400 |
---|---|---|
committer | Michael Sweet <michael.r.sweet@gmail.com> | 2016-05-18 14:42:37 -0400 |
commit | 08d56b1fb9bb10d0cf7d20fd3d9eb763a8fb68a6 (patch) | |
tree | a4606f8bff1108d78c4c1f8afe491b95cb048599 /cups/tls-darwin.c | |
parent | 71d227bf28c2fb6c7c0210bb02dfb991434d4674 (diff) | |
download | cups-08d56b1fb9bb10d0cf7d20fd3d9eb763a8fb68a6.tar.gz |
Implement TrustOnFirstUse option and CRLs (GNU TLS) to allow for printing only
to trusted printers/servers (<rdar://problem/25711658>)
This change also makes the default value of AllowExpiredCerts NO instead of YES.
Finally, add support for loading most client.conf options (NOT ServerName or
User) from /Library/Printers/org.cups.PrintingPrefs.plist on OS X.
Diffstat (limited to 'cups/tls-darwin.c')
-rw-r--r-- | cups/tls-darwin.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index aad2db490..ab9fedc6a 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -629,8 +629,15 @@ httpCredentialsGetTrust( * credentials and allow if the new ones have a later expiration... */ - if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || - !httpCredentialsAreValidForName(credentials, common_name)) + if (!cg->trust_first) + { + /* + * Do not trust certificates on first use... + */ + + trust = HTTP_TRUST_INVALID; + } + else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name)) { /* * Either the new credentials are not newly issued, or the common name @@ -660,6 +667,8 @@ httpCredentialsGetTrust( trust = HTTP_TRUST_EXPIRED; else if (!cg->any_root && cupsArrayCount(credentials) == 1) trust = HTTP_TRUST_INVALID; + else if (!cg->trust_first) + trust = HTTP_TRUST_INVALID; CFRelease(secCert); |