Bug 478677 - Unable to print to network shared printer that requires basic authentication and SSL
Unable to print to network shared printer that requires basic authentication ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-03 06:30 EST by Darren Fulton
Modified: 2009-07-03 05:08 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-03 05:08:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 3122 None None None Never

  None (edit)
Description Darren Fulton 2009-01-03 06:30:11 EST
Description of problem:
I configured CUPS server on a Red Hat EL 5.2 server to require SSL and basic authentication.  I tested printing to it from a Windows XP client and was able to (using SSL and basic auth).  I was unable to from a Fedora 10 client.  I might be doing it wrong from the Fedora 10 client, because it is not altogether straightforward how to configure it to print over SSL and use authentication.  I tried through system-config-printer and the CUPS web admin tool and neither would work

CUPS server config info (just the interesting bits):
###############################
SSLPort 8443                                         

# Show shared printers on the local network.
Browsing Off                                
BrowseOrder allow,deny                      
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL                                                            

# Default authentication type, when authentication is required...
DefaultAuthType Basic                                            

# Restrict access to the server...
<Location />                      
  Encryption Required             
  AuthType Basic                  
  Require valid-user              
  Order allow,deny                
  Allow ALL                       
</Location>                       
################################

Error logged on server:
E [02/Jan/2009:23:21:49 -0600] encrypt_client: Unable to encrypt connection from 192.168.22.174!
E [02/Jan/2009:23:21:49 -0600] encrypt_client: A record packet with illegal version was received.
#################################

From the Windows client, I used the following configuration information:
Network Printer
https://192.168.22.150:8443/printers/myprinter
I entered the username and password when prompted
Picked a postscript driver
Successfully printed a test page to the CUPS server.

The Fedora 10 client would not accept https:// in the URI, so I used ipp:// and http:// hoping that it would realize that it had to use SSL, but I don't think it did.  I also was never prompted for or given a location to enter the username and password.  I tried adding it into the URI name:password@192.168.22.150:8443/printers/myprinter, and it did not complain.  The CUPS SSL certificate is snakeoil, but the client never complained about that, so I don't know if that is an issue or not.  When printing, the job hung in the client machines print queue.

Version-Release number of selected component (if applicable):
cups-1.3.9-6.fc10.i386
system-config-printer-1.0.12-2.fc10.i386

How reproducible:
very

Steps to Reproduce:
1. Configure a CUPS print server on your LAN that requires Basic Authentication and SSL.
2.  Try to configure a Fedora 10 client to print to it.
3.  Try to print something to the CUPS print server.
  
Actual results:
In my case (I'm not sure that I did it correctly on the client side), I was able to print to the CUPS print server from a Windows XP client, but not from a Fedora 10 client.

Expected results:


Additional info:
Thank you.
Comment 1 Darren Fulton 2009-02-22 14:45:24 EST
Hi.  Any update on this?  Does anyone know if this is a CUPS issue, or a system-config-printer issue, or something else?  If it is a CUPS issue, shall I try to file a bug report with the CUPS folks?
Comment 2 Tim Waugh 2009-03-06 13:16:41 EST
system-config-printer is certainly not involved.  It seems more like a gnutls issue, as that is what cupsd is using.
Comment 3 Tomas Mraz 2009-03-09 04:31:32 EDT
> The Fedora 10 client would not accept https:// in the URI, so I used ipp:// and
> http:// hoping that it would realize that it had to use SSL, but I don't think
> it did.

Tim, I don't think this is a gnutls issue. It looks like he was not able to configure the SSL on the client at all so gnutls did not get involved.

Darren, if you do 'gnutls-cli -p 8443 192.168.22.150', are you able to connect? What do you get as output?
Comment 4 Tim Waugh 2009-03-09 06:25:46 EDT
Tomas, the message from the server, "A record packet with illegal version was received.", comes from gnutls.

CUPS automatically detects SSL connections, so ipp://... is the correct URI form to use.
Comment 5 Tim Waugh 2009-03-09 07:19:26 EDT
OK, problem understood now.

So normally the SSL port is 443, and libcups has special handling in that case to always start out with an SSL connection.

Additionally, on the normal IPP port (631), cupsd has special handling to request that the client upgrade to an encrypted connection over the same port.

Neither of these things were happening because (a) the port was 8443 not 443, and (b) the client was connecting to an SSL-only port.

The reason system-config-printer was rejecting 'https://...'-type URIs is that cupsd is, and the simple reason for that is a missing https -> ipp symlink. (The ipp backend spots when it is being invoked as https and always encrypts in that case.)

Filed upstream.
Comment 6 Tim Waugh 2009-04-14 13:22:14 EDT
This will be fixed when 1.1.x (currently in rawhide) is backported to Fedora 10.
Comment 7 Tim Waugh 2009-04-20 07:51:36 EDT
Incidentally, you should be able to use a URI of the form:

  ipp://...?encryption=always

to achieve the same effect.
Comment 8 Tim Waugh 2009-07-03 05:08:14 EDT
Closing, as there is an easy work-around for Fedora 10 and Fedora 11 already contains the fix.

Note You need to log in before you can comment on or make changes to this bug.