httpConnectAgain should require the same X.509 certificate

OpenPrinting / cups

OpenPrinting CUPS Sources

https://openprinting.github.io/cups

Apache License 2.0

1.1k stars 195 forks source link

httpConnectAgain should require the same X.509 certificate #1061

Open michaelrsweet opened 1 month ago

michaelrsweet commented 1 month ago

httpConnectAgain doesn't make sure that the new connection is using the same X.509 certificate as the original connection. The new connection should either have the same certificate or pass strict cupsGetCredentialsTrust tests.

michaelrsweet commented 1 month ago

Will also investigate what can be done for 2.4.x, but that code has the old X.509 support code and isn't as capable.

michaelrsweet commented 1 month ago

Note: Since the connection address is cached in http_t, exploiting this issue is non-trivial.