Description of problem: I configured CUPS server on a Red Hat EL 5.2 server to require SSL and basic authentication. I tested printing to it from a Windows XP client and was able to (using SSL and basic auth). I was unable to from a Fedora 10 client. I might be doing it wrong from the Fedora 10 client, because it is not altogether straightforward how to configure it to print over SSL and use authentication. I tried through system-config-printer and the CUPS web admin tool and neither would work CUPS server config info (just the interesting bits): ############################### SSLPort 8443 # Show shared printers on the local network. Browsing Off BrowseOrder allow,deny # (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.) BrowseAllow @LOCAL # Default authentication type, when authentication is required... DefaultAuthType Basic # Restrict access to the server... <Location /> Encryption Required AuthType Basic Require valid-user Order allow,deny Allow ALL </Location> ################################ Error logged on server: E [02/Jan/2009:23:21:49 -0600] encrypt_client: Unable to encrypt connection from 192.168.22.174! E [02/Jan/2009:23:21:49 -0600] encrypt_client: A record packet with illegal version was received. ################################# From the Windows client, I used the following configuration information: Network Printer https://192.168.22.150:8443/printers/myprinter I entered the username and password when prompted Picked a postscript driver Successfully printed a test page to the CUPS server. The Fedora 10 client would not accept https:// in the URI, so I used ipp:// and http:// hoping that it would realize that it had to use SSL, but I don't think it did. I also was never prompted for or given a location to enter the username and password. I tried adding it into the URI name:password.22.150:8443/printers/myprinter, and it did not complain. The CUPS SSL certificate is snakeoil, but the client never complained about that, so I don't know if that is an issue or not. When printing, the job hung in the client machines print queue. Version-Release number of selected component (if applicable): cups-1.3.9-6.fc10.i386 system-config-printer-1.0.12-2.fc10.i386 How reproducible: very Steps to Reproduce: 1. Configure a CUPS print server on your LAN that requires Basic Authentication and SSL. 2. Try to configure a Fedora 10 client to print to it. 3. Try to print something to the CUPS print server. Actual results: In my case (I'm not sure that I did it correctly on the client side), I was able to print to the CUPS print server from a Windows XP client, but not from a Fedora 10 client. Expected results: Additional info: Thank you.
Hi. Any update on this? Does anyone know if this is a CUPS issue, or a system-config-printer issue, or something else? If it is a CUPS issue, shall I try to file a bug report with the CUPS folks?
system-config-printer is certainly not involved. It seems more like a gnutls issue, as that is what cupsd is using.
> The Fedora 10 client would not accept https:// in the URI, so I used ipp:// and > http:// hoping that it would realize that it had to use SSL, but I don't think > it did. Tim, I don't think this is a gnutls issue. It looks like he was not able to configure the SSL on the client at all so gnutls did not get involved. Darren, if you do 'gnutls-cli -p 8443 192.168.22.150', are you able to connect? What do you get as output?
Tomas, the message from the server, "A record packet with illegal version was received.", comes from gnutls. CUPS automatically detects SSL connections, so ipp://... is the correct URI form to use.
OK, problem understood now. So normally the SSL port is 443, and libcups has special handling in that case to always start out with an SSL connection. Additionally, on the normal IPP port (631), cupsd has special handling to request that the client upgrade to an encrypted connection over the same port. Neither of these things were happening because (a) the port was 8443 not 443, and (b) the client was connecting to an SSL-only port. The reason system-config-printer was rejecting 'https://...'-type URIs is that cupsd is, and the simple reason for that is a missing https -> ipp symlink. (The ipp backend spots when it is being invoked as https and always encrypts in that case.) Filed upstream.
This will be fixed when 1.1.x (currently in rawhide) is backported to Fedora 10.
Incidentally, you should be able to use a URI of the form: ipp://...?encryption=always to achieve the same effect.
Closing, as there is an easy work-around for Fedora 10 and Fedora 11 already contains the fix.