[cups.development] [RFE] STR #2146: Handle certificate chains
Jens Larsson
jens at isy.liu.se
Wed Dec 13 04:09:32 PST 2006
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
In an certificate chain there is a trusted root certificate installed
in the browser that has signed a signing certificate that has signed
the server certificate used by the cups server. To validate the
certificate chain the server must send both the signing and the server
certificate to the client. This is not possible in cups right now.
The configuration option ServerCertificate in cupsd.conf points to a
file containing just the server certificate and in scheduler/client.c
the OpenSSL function SSL_CTX_use_certificate_file is used. This
function reads the first certificate from the file and uses as a
server certificate together with the key from ServerKey. By just
replacing SSL_CTX_use_certificate_file with
SSL_CTX_use_certificate_chain_file it is possible to put both the
server and signing certificate (in that order) into the
ServerCertificate-file. A better solution would be to add the option
ServerChainCertificate to cupsd.conf. Compare this with httpd.conf:
SSLCertificateFile
SSLCertificateChainFile
SSLCertificateKeyFile
/jens
Link: http://www.cups.org/str.php?L2146
Version: -feature
More information about the cups-devel
mailing list