Add SSL/TLS certificate validation/revocation

[michaelrsweet]

Version: 2.0-feature
CUPS.org User: mike

The current SSL/TLS support does not so any certificate validation or revocation. Need to add a certificate callback mechanism to the CUPS API which returns accept temporarily, accept permanently, or reject the certificate, and the results should be cached in "~/.cups".

The functionality should be similar to Subversion and ssh...

[michaelrsweet]

CUPS.org User: odyx

This STR issue has been pointed out while we were discussing how Debian would handle the license-wise impossibility to build against recent GnuTLS versions on the thread starting on https://lists.debian.org/debian-devel/2014/01/msg00205.html

It would be nice to have this fixed in a proper way a little earlier than in 2.0, what do you think?

[michaelrsweet]

CUPS.org User: mike

Didier,

Since CUPS 2.0 is removing OpenSSL support entirely, the solution would seem to be to declare GnuTLS and its dependents as system libraries, just like glibc.

(Sadly, we've looked at all of the open source TLS implementations. There really isn't a satisfactory choice, and certainly none that truly avoids the GPL minefield that the FSF has created...)

[michaelrsweet]

CUPS.org User: mike

This is implemented for OS X but still needs work for GNU TLS and SSPI.

[michaelrsweet]

CUPS.org User: mike

GNU TLS server side stuff is once again working. Just need to finish implementing the cert validation code and we should be good to go.

Windows still needs to be implemented (last on the list, but needed for the IPP Everywhere test suite).

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

For those playing along at home, "man client.conf" for a description of the certificate validation/policy options. Self-signed certificates are tracked automatically so that we can detect when they have changed, ssh-style.