Bug 118982 - CUPS client cannot connect to a secure SSL CUPS server
CUPS client cannot connect to a secure SSL CUPS server
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: cups (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks: 116727
  Show dependency treegraph
 
Reported: 2004-03-23 11:16 EST by Graham Leggett
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-01 22:10:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Graham Leggett 2004-03-23 11:16:37 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922

Description of problem:
- Configure cups to use SSL:

In cupsd.conf:

SSLListen 127.0.0.1:631
SSLListen 192.168.200.150:631
ServerCertificate /etc/cups/certs/ipp-hostCert.pem
ServerKey /etc/cups/certs/ipp-hostKey.pem

In client.conf:

ServerName ipp
Encryption Always

- View the web portal via https://ipp:631, this works 100%.

- Try and view print queues via lpq:

[minfrin@gatekeeper minfrin]$ lpq
lpq: Unable to contact server!

- Look in the cups error logs:

E [23/Mar/2004:18:17:27 +0200] EncryptClient: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
E [23/Mar/2004:18:17:27 +0200] Bad request line "/1.1"!

Due to the vagueness of the above error (it does not include what the
source IP address attempted to make the unencrypted connection above)
it is not clear as to whether this error is involved or not.

Nett result: CUPS can be a secure print server, but cannot be used as
a secure print client.


Version-Release number of selected component (if applicable):
cups-1.1.17-13.3.6

How reproducible:
Always

Steps to Reproduce:
xxx

Additional info:
Comment 1 Graham Leggett 2004-03-23 11:39:30 EST
Some more investigation:

If an strace lpq is done, the following steps are evident:

- The clients.conf file is opened and read.

- An attempt is made to write a _non encrypted_ request to the server
defined in clients.conf, when client.conf stipulates "encryption always".

- The response comes back from the server: "HTTP/1.0 400 Bad Request"

- lpq alternates between two responses:

[minfrin@gatekeeper minfrin]$ lpq
lpq: Unable to contact server!
[minfrin@gatekeeper minfrin]$ lpq
no entries

In the case of "unable to contact server", it seems the initial write
to the server fails immediately.

In the case of "no entries", it seems this is what is returned if the
server says "400 Bad Request".

CUPS seems to alternate between one response and the other.
Comment 2 Graham Leggett 2004-03-25 07:29:01 EST
This issue has been opened as STR #653 at http://www.cups.org.
Comment 3 Graham Leggett 2004-03-30 18:12:47 EST
Any update on this bug? This is a showstopper for RHEL being deployed
as a printserver.

The latest version of CUPS as supplied www.cups.org is broken out the
box on RHEL:

[root@gatekeeper root]# service cups start
cupsd: Child exited on signal 11!
cups: unable to start scheduler.

So: is there any hope for a secure RHEL printserver, or is RHEL a dead
loss in this application?
Comment 4 Tim Waugh 2004-05-12 12:33:59 EDT
Direct link is: http://www.cups.org/str.php?L653

(Despite being on the CC field for it I've had no email from it. :-( )
Comment 5 Tim Waugh 2004-05-13 13:05:05 EDT
Do you need a binary package set to test, or can you try the
pseudo-patch from my comment to STR #653 yourself?
Comment 6 Tim Waugh 2004-05-19 14:14:31 EDT
FWIW, Fedora development will shortly have cups-1.1.20-8, which
includes this patch.
Comment 7 Jay Turner 2004-08-17 22:42:46 EDT
With cups-1.1.17-13.3.12, I'm still seeing:

E [17/Aug/2004:22:43:34 -0400] EncryptClient: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
E [17/Aug/2004:22:43:34 -0400] Bad request line "1.0"!

in the error log.  Am I just dumb with cups configuration?
Comment 8 Tim Waugh 2004-08-18 06:17:22 EDT
This seems to be due to STR #434:

http://www.cups.org/str.php?L434

but I think it is comparatively harmless.  The corresponding Red Hat
Bugzilla report is bug #114999.
Comment 9 Graham Leggett 2004-08-18 10:56:06 EDT
It seems the latest fedora development version of cups-1.1.21-1.rc1.9
has a dependancy list a mile long, including the need to upgrade python.

When will this patch be made available officially to RHEL3?
Comment 10 Jay Turner 2004-09-01 22:10:56 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-228.html

Note You need to log in before you can comment on or make changes to this bug.