Bug 118240 - If CUPS is listening on an SSL socket, then all connections to other IPP printers are forced to SSL
If CUPS is listening on an SSL socket, then all connections to other IPP prin...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: cups (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-14 04:15 EST by Graham Leggett
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 15:28:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Graham Leggett 2004-03-14 04:15:54 EST
Configure CUPS to support encryption, by doing the following:

- Set ServerName to the cert CN
- Set ServerCert and ServerKey for cert
- Bind by saying SSLListen 0.0.0.0:631

In client.conf set ServerName and Encryption Always

Set up a printer that uses the IPP protocol, or HTTP (same effect).

See that the URL printed to by CUPS is encrypted, when the printer
does not support encryption, nor has the user expressed any desire to
make a secure connection to the printer:

Device URI: https://192.168.200.153:631/ipp/PORT1

The error message given when printing is attempted is the very
Microsoft-esque:

"Unable to connect to IPP host: Success"

The result: printing to non-SSL IPP printers is impossible when CUPS
is configured to support SSL.
Comment 1 David Lawrence 2004-03-15 15:22:37 EST
Changing product and version.
Comment 2 Tim Waugh 2004-05-12 13:11:59 EDT
Is 'Encryption IfRequested' any better?
Comment 3 Graham Leggett 2004-06-18 19:51:48 EDT
Encryption IfRequested leaves the option open for printing to occur
without encryption, which is against our access policy for services
that are accessible over the internet :(
Comment 4 Tim Waugh 2004-06-25 07:54:56 EDT
But you wanted printing to occur without encryption: "printing to
non-SSL IPP printers" is exactly that, surely?

I think maybe I'm not understanding the set-up you have.  Can you give
the various devices in the scenario names, so that I can see more
clearly what you mean?
Comment 5 Graham Leggett 2004-06-25 10:20:56 EDT
Client XXX --IPP+SSL--> CUPS Server --IPP--> Ricoh IPP enabled printer

The connection right now this minute client XXX is talking to the CUPS
server using IPP+SSL (Specified using Encryption Required).

The connection right now this minute CUPS server is talking to the
Ricoh printer via LPR, because this works at the moment.

The minute you try to change the protocol that CUPS uses to talk to
the Ricoh printer from LPR to IPP (non secure IPP, as the Ricoh
printer to our knowledge does not support SSL) CUPS insists on using
IPP+SSL to talk to the Ricoh printer. The Ricoh printer cannot
understand IPP+SSL, and the job never arrives on the printer.

It seems that if the IPP connection between client XXX and CUPS is SSL
enabled, CUPS wants to make the IPP connection between the CUPS server
and the Ricoh printer SSL enabled as well, even though SSL for the
connection to the printer is neither enabled in the config of CUPS,
nor supported by the Ricoh printer.
Comment 6 RHEL Product and Program Management 2007-10-19 15:28:58 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.