From 8b56e1b69501783984620e2c79c52457e14c3557 Mon Sep 17 00:00:00 2001 From: Liu Zheng Date: Tue, 2 Jun 2026 17:54:30 +0800 Subject: [PATCH] Auto-regenerate expired self-signed certificates _httpTLSStart checked whether certificate files exist on disk via access() but never verified whether they have expired. When an auto-generated self-signed certificate expired, CUPS continued using it instead of creating a new one. Add a cupsGetCredentialsExpiration() check so that expired certs are treated as missing, triggering the existing auto-create code path. Fixes: #1519 --- cups/tls-gnutls.c | 2 +- cups/tls-openssl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index f7ac74952..ba51d0ca6 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1836,7 +1836,7 @@ _httpTLSStart(http_t *http) // I - Connection to server } } - have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK); + have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK) && cupsGetCredentialsExpiration(crtfile) > time(NULL); } if (!have_creds && tls_auto_create && cn) diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 6396a03e2..cac26f29b 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -1900,7 +1900,7 @@ _httpTLSStart(http_t *http) // I - Connection to server } } - have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK); + have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK) && cupsGetCredentialsExpiration(crtfile) > time(NULL); } if (!have_creds && tls_auto_create && cn)