CUPS client is incapable of printing to an SSL enabled CUPS server #653

Closed
michaelrsweet opened this Issue Mar 25, 2004 · 16 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Mar 25, 2004

Version: 1.1.17
CUPS.org User: minfrin.sharp

If CUPS is set up as a secure SSL enabled print server, windows IPP print clients have no problems printing to this server.

In addition, the CUPS web based interface has no problems attaching to the CUPS server, and viewing the status of printers.

lpr as supplied by CUPS however is incapable of connecting to the CUPS server when SSL is switched on. This makes it impossible to print from legacy unix applications that print to lpr. (This is an enormous showstopper for us, as we have to temporarily downgrade the printserver to non secure in order to print out monthly invoice run, during which time windows printers cannot print).

lpq has the same problem.

If an attempt is made to run an strace on lpq, it shows that it does open /etc/cups/client.conf, however the "Encryption Always" config is ignored.

The cups log shows that attempts are made to connect to the CUPS server clear text, which causes SSL to complain:

E [25/Mar/2004:14:25:59 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
E [25/Mar/2004:14:25:59 +0200] Bad request line "/1.1"!
E [25/Mar/2004:14:25:59 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

Please can you fix this bug urgently, as it means that unix based printers cannot participate in a secure printing environment.

Collaborator

michaelrsweet commented Mar 25, 2004

CUPS.org User: mike

Is your CUPS client built with encryption support? "ldd /usr/bin/lpr" should show libssl and some others if so.

Also, it would be more useful for you to do your testing against a recent release of CUPS...

Collaborator

michaelrsweet commented Mar 25, 2004

CUPS.org User: minfrin.sharp

[minfrin@gatekeeper patricia]$ ldd /usr/bin/lpr
libcups.so.2 => /usr/lib/libcups.so.2 (0xb75d0000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb75ab000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb757e000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7446000)
libssl.so.4 => /lib/libssl.so.4 (0xb7412000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0xb7321000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0xb75eb000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0xb730d000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0xb72af000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0xb72ad000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0xb729d000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb728b000)
libdl.so.2 => /lib/libdl.so.2 (0xb7288000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7279000)

Seems SSL support is there.

The version of CUPS is cups-1.1.17-13.3.6 as supplied by RHEL v3.0, I would like to avoid custom RPMs if I possibly can. If I can confirm that the problem is specific to Redhat, I'll be able to chase them. A bug report is open with them, but they have not been proactive about the problem so far.

Collaborator

michaelrsweet commented Mar 25, 2004

CUPS.org User: mike

There have been several key changes to the SSL support between 1.1.17 and 1.1.20, so before we could offer any support for this issue, we'd need you to test against 1.1.20 and not RedHat's hacked up version.

Collaborator

michaelrsweet commented Mar 30, 2004

CUPS.org User: minfrin.sharp

Just installed v1.1.20, building it like so:

rpmbuild -tb cups-1.1.20-source.tar.gz

And when you crank up the server it does this:

[root@gatekeeper root]# service cups start
cupsd: Child exited on signal 11!
cups: unable to start scheduler.

Collaborator

michaelrsweet commented Mar 30, 2004

CUPS.org User: mike

Please post the /var/log/cups/error_log file.

Collaborator

michaelrsweet commented Mar 30, 2004

CUPS.org User: minfrin.sharp

E [30/Mar/2004:23:16:01 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
E [30/Mar/2004:23:16:01 +0200] Bad request line "/1.1"!
E [30/Mar/2004:23:16:01 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
E [30/Mar/2004:23:16:01 +0200] Bad request line "/1.1"!
E [30/Mar/2004:23:16:11 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
E [30/Mar/2004:23:16:11 +0200] Bad request line "/1.1"!
E [30/Mar/2004:23:16:11 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
E [30/Mar/2004:23:16:11 +0200] Bad request line "/1.1"!

Collaborator

michaelrsweet commented Apr 2, 2004

CUPS.org User: mike

Can you attach the client.conf file for your system?

Collaborator

michaelrsweet commented Apr 2, 2004

CUPS.org User: anonymous

My posting to cups.bugs just now appears to be relevant to this case. I've successfully gotten both Windows XP and the CUPS clients to talk SSL to the CUPS server compiled from the 1.2.x CVS tree. However, as you can see below, there are some connection problems.

Note that some of the debug lines below are mine, had to add more info to find out what was wrong before I got it working.

Copy of post:

Hi!

I've got my test cupsd set up with the proper certificates, and forced clients to connect using SSL. This works fine, both from Windows and the stock cups clients. However, the SSL negotiation appears to need a bit of work, unless I've configured something wrong.

The command itself works fine. But it takes quite a few seconds to finish:

bash-2.05b# lpoptions -p bbugh -l -E
HPEconoMode/EconoMode: *PrinterDefault True False
HPJobName/Job Name: *DocName Set
[...]

And when I look at the server logs, I see the following:

d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0
D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631.
d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet...
E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key
E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt
E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost!
E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1
E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost!
D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request)
D [02/Apr/2004:23:57:48 +0200] CloseClient: 9
d [02/Apr/2004:23:57:48 +0200] CloseClient: Removing fd 9 from InputSet and OutputSet...
d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0
D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631.
d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet...
E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key
E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt
E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost!
E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1
E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost!
D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request)
[...]

A large, seemingly random, number of failed connections before it actually works:

d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0
D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631.
d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet...
E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key
E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt
E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost!
E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1
E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost!
D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request)
D [02/Apr/2004:23:57:48 +0200] CloseClient: 9
d [02/Apr/2004:23:57:48 +0200] CloseClient: Removing fd 9 from InputSet and OutputSet...
d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0
D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631.
d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet...
E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key
E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt
D [02/Apr/2004:23:57:48 +0200] EncryptClient: 9 Connection from localhost now encrypted.
d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1
D [02/Apr/2004:23:57:48 +0200] ReadClient: 9 POST / HTTP/1.1
d [02/Apr/2004:23:57:49 +0200] decode_auth(0x40392008): Authorization string = ""
d [02/Apr/2004:23:57:49 +0200] decode_auth: 9 username=""
d [02/Apr/2004:23:57:49 +0200] POST /
d [02/Apr/2004:23:57:49 +0200] CONTENT_TYPE = application/ipp
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 77, con->file = -1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 69, con->file = -1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 35, con->file = -1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1
d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 1, con->file = -1
d [02/Apr/2004:23:57:49 +0200] get_default(0x40392008[9])
d [02/Apr/2004:23:57:49 +0200] copy_attrs(0x84f7c10, 0x8163f98, (nil), 0)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-uri-supported)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, uri-authentication-supported)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, uri-security-supported)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-name)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-location)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-info)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-more-info)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-quota-period)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-k-limit)
d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-page-limit)
[...]

The number of failed tries varies randomly between 0 and several thousand (sic), no two tries in a row give the same number.

client.conf has Encryption Always, cupsd.conf has Encryption Required inside the parts. Tried Always there as well, but warnings in the logs told me that cupsd bumped those to Required anyway.

Any ideas?

                                 OK
Collaborator

michaelrsweet commented Apr 9, 2004

CUPS.org User: mike

You MUST use SSLPort/SSLListen in cupsd.conf if you use "Encryption Always" in client.conf. Please confirm that you are using SSLPort or SSLListen in the server's cupsd.conf file.

Collaborator

michaelrsweet commented Apr 20, 2004

CUPS.org User: minfrin.sharp

"SSLListen" is being used in this case. There is no use of "Listen" anywhere in the file.

In this case, SSLListen and Encryption Always is being used. The CUPS web based config works, lpr and lpq do not work.

Collaborator

michaelrsweet commented May 10, 2004

CUPS.org User: mike

OK, are you using CUPS 1.1.17 for these tests? Your previous message indicated that the 1.1.20 code did not work for you - did you revert to 1.1.17 again?

Collaborator

michaelrsweet commented May 13, 2004

CUPS.org User: twaugh.redhat

In cups/dest.c, function cups_get_sdests(), try making this change:

  • if ((http = httpConnect(cupsServer(), ippPort())) == NULL)
  • if ((http = httpConnectEncrypt(cupsServer(), ippPort(),
  •                            cupsEncryption())) == NULL)
    

It doesn't seem to make the problem go away, but it is at least one source of unencryption connections.

Collaborator

michaelrsweet commented May 13, 2004

CUPS.org User: twaugh.redhat

Actually, now that I've corrected my cupsd.conf (only had Allow From 127.0.0.1, but client.conf had the FQDN), this seems to be working for me.

Collaborator

michaelrsweet commented May 13, 2004

CUPS.org User: mike

Tim, thanks for the patch, applied for 1.1.21.

Minfrin, can you verify for us?

Collaborator

michaelrsweet commented May 13, 2004

CUPS.org User: mike

Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.

Collaborator

michaelrsweet commented Jun 2, 2004

"client.conf":

"$Id: client.conf,v 1.5 2002/01/02 17:58:37 mike Exp $"

Sample client configuration file for the Common UNIX Printing System

(CUPS).

Copyright 1997-2002 by Easy Software Products, all rights reserved.

These coded instructions, statements, and computer programs are the

property of Easy Software Products and are protected by Federal

copyright law. Distribution and use rights are outlined in the file

"LICENSE.txt" which should have been included with this file. If this

file is missing or damaged please contact Easy Software Products

at:

Attn: CUPS Licensing Information

Easy Software Products

44141 Airport View Drive, Suite 204

Hollywood, Maryland 20636-3111 USA

Voice: (301) 373-9603

EMail: cups-info@cups.org

WWW: http://www.cups.org

########################################################################

This is the CUPS client configuration file. This file is used to

define client-specific parameters, such as the default server or

default encryption settings.

########################################################################

ServerName: the hostname of your server. By default CUPS will use the

hostname of the system or the value of the CUPS_SERVER environment

variable.

ServerName ipp.xxx.xxx.xxx
#ServerName 127.0.0.1

Encryption: whether or not to use encryption; this depends on having

the OpenSSL library linked into the CUPS library.

Possible values:

Always - Always use encryption (SSL)

Never - Never use encryption

Required - Use TLS encryption upgrade

IfRequested - Use encryption if the server requests it

The default value is "IfRequested". This parameter can also be set

using the CUPS_ENCRYPTION environment variable.

Encryption Always
#Encryption Never
#Encryption Required
#Encryption IfRequested

End of "$Id: client.conf,v 1.5 2002/01/02 17:58:37 mike Exp $".

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment