cups icon indicating copy to clipboard operation
cups copied to clipboard
verified publisher icon OpenPrinting

httpConnectAgain should require the same X.509 certificate

Open michaelrsweet opened this issue 1 year ago • 2 comments

httpConnectAgain doesn't make sure that the new connection is using the same X.509 certificate as the original connection. The new connection should either have the same certificate or pass strict cupsGetCredentialsTrust tests.

michaelrsweet avatar Sep 26 '24 13:09 michaelrsweet

Will also investigate what can be done for 2.4.x, but that code has the old X.509 support code and isn't as capable.

michaelrsweet avatar Sep 26 '24 13:09 michaelrsweet

Note: Since the connection address is cached in http_t, exploiting this issue is non-trivial.

michaelrsweet avatar Sep 26 '24 13:09 michaelrsweet

Hmm, it looks like I fixed this a year ago!

michaelrsweet avatar Oct 21 '25 15:10 michaelrsweet