Closed michaelrsweet closed 20 years ago
michaelrsweet
commented
20 years ago CUPS.org User: mike
Is your CUPS client built with encryption support? "ldd /usr/bin/lpr" should show libssl and some others if so.
Also, it would be more useful for you to do your testing against a recent release of CUPS...
michaelrsweet
commented
20 years ago CUPS.org User: minfrin.sharp
[minfrin@gatekeeper patricia]$ ldd /usr/bin/lpr libcups.so.2 => /usr/lib/libcups.so.2 (0xb75d0000) libnsl.so.1 => /lib/libnsl.so.1 (0xb75ab000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb757e000) libc.so.6 => /lib/tls/libc.so.6 (0xb7446000) libssl.so.4 => /lib/libssl.so.4 (0xb7412000) libcrypto.so.4 => /lib/libcrypto.so.4 (0xb7321000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0xb75eb000) libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0xb730d000) libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0xb72af000) libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0xb72ad000) libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0xb729d000) libresolv.so.2 => /lib/libresolv.so.2 (0xb728b000) libdl.so.2 => /lib/libdl.so.2 (0xb7288000) libz.so.1 => /usr/lib/libz.so.1 (0xb7279000)
Seems SSL support is there.
The version of CUPS is cups-1.1.17-13.3.6 as supplied by RHEL v3.0, I would like to avoid custom RPMs if I possibly can. If I can confirm that the problem is specific to Redhat, I'll be able to chase them. A bug report is open with them, but they have not been proactive about the problem so far.
michaelrsweet
commented
20 years ago CUPS.org User: mike
There have been several key changes to the SSL support between 1.1.17 and 1.1.20, so before we could offer any support for this issue, we'd need you to test against 1.1.20 and not RedHat's hacked up version.
michaelrsweet
commented
20 years ago CUPS.org User: minfrin.sharp
Just installed v1.1.20, building it like so:
rpmbuild -tb cups-1.1.20-source.tar.gz
And when you crank up the server it does this:
[root@gatekeeper root]# service cups start cupsd: Child exited on signal 11! cups: unable to start scheduler.
michaelrsweet
commented
20 years ago CUPS.org User: mike
Please post the /var/log/cups/error_log file.
michaelrsweet
commented
20 years ago CUPS.org User: minfrin.sharp
E [30/Mar/2004:23:16:01 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request E [30/Mar/2004:23:16:01 +0200] Bad request line "/1.1"! E [30/Mar/2004:23:16:01 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request E [30/Mar/2004:23:16:01 +0200] Bad request line "/1.1"! E [30/Mar/2004:23:16:11 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request E [30/Mar/2004:23:16:11 +0200] Bad request line "/1.1"! E [30/Mar/2004:23:16:11 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request E [30/Mar/2004:23:16:11 +0200] Bad request line "/1.1"!
michaelrsweet
commented
20 years ago CUPS.org User: mike
Can you attach the client.conf file for your system?
michaelrsweet
commented
20 years ago CUPS.org User: anonymous
My posting to cups.bugs just now appears to be relevant to this case. I've successfully gotten both Windows XP and the CUPS clients to talk SSL to the CUPS server compiled from the 1.2.x CVS tree. However, as you can see below, there are some connection problems.
Note that some of the debug lines below are mine, had to add more info to find out what was wrong before I got it working.
Copy of post:
Hi!
I've got my test cupsd set up with the proper certificates, and forced clients to connect using SSL. This works fine, both from Windows and the stock cups clients. However, the SSL negotiation appears to need a bit of work, unless I've configured something wrong.
The command itself works fine. But it takes quite a few seconds to finish:
bash-2.05b# lpoptions -p bbugh -l -E HPEconoMode/EconoMode: PrinterDefault True False HPJobName/Job Name: DocName Set [...]
And when I look at the server logs, I see the following:
d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0 D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631. d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet... E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost! E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1 E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost! D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request) D [02/Apr/2004:23:57:48 +0200] CloseClient: 9 d [02/Apr/2004:23:57:48 +0200] CloseClient: Removing fd 9 from InputSet and OutputSet... d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0 D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631. d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet... E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost! E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1 E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost! D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request) [...]
A large, seemingly random, number of failed connections before it actually works:
d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0 D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631. d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet... E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt E [02/Apr/2004:23:57:48 +0200] EncryptClient: Unable to encrypt connection from localhost! E [02/Apr/2004:23:57:48 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1 E [02/Apr/2004:23:57:48 +0200] Bad request line "/1.1" from localhost! D [02/Apr/2004:23:57:48 +0200] SendError: 9 code=400 (Bad Request) D [02/Apr/2004:23:57:48 +0200] CloseClient: 9 d [02/Apr/2004:23:57:48 +0200] CloseClient: Removing fd 9 from InputSet and OutputSet... d [02/Apr/2004:23:57:48 +0200] AcceptClient(lis=0x80921f8) 0 NumClients = 0 D [02/Apr/2004:23:57:48 +0200] AcceptClient: 9 from localhost:631. d [02/Apr/2004:23:57:48 +0200] AcceptClient: Adding fd 9 to InputSet... E [02/Apr/2004:23:57:48 +0200] Looking for key /etc/cups/ssl/server.key E [02/Apr/2004:23:57:48 +0200] Looking for cert /etc/cups/ssl/server.crt D [02/Apr/2004:23:57:48 +0200] EncryptClient: 9 Connection from localhost now encrypted. d [02/Apr/2004:23:57:48 +0200] ReadClient: 9, used=0, file=-1 D [02/Apr/2004:23:57:48 +0200] ReadClient: 9 POST / HTTP/1.1 d [02/Apr/2004:23:57:49 +0200] decode_auth(0x40392008): Authorization string = "" d [02/Apr/2004:23:57:49 +0200] decode_auth: 9 username="" d [02/Apr/2004:23:57:49 +0200] POST / d [02/Apr/2004:23:57:49 +0200] CONTENT_TYPE = application/ipp d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 77, con->file = -1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 69, con->file = -1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 35, con->file = -1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9, used=0, file=-1 d [02/Apr/2004:23:57:49 +0200] ReadClient: 9 con->data_encoding = length, con->data_remaining = 1, con->file = -1 d [02/Apr/2004:23:57:49 +0200] get_default(0x40392008[9]) d [02/Apr/2004:23:57:49 +0200] copy_attrs(0x84f7c10, 0x8163f98, (nil), 0) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-uri-supported) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, uri-authentication-supported) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, uri-security-supported) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-name) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-location) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-info) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, printer-more-info) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-quota-period) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-k-limit) d [02/Apr/2004:23:57:49 +0200] copy_attribute(0x84f7c10, job-page-limit) [...]
The number of failed tries varies randomly between 0 and several thousand (sic), no two tries in a row give the same number.
client.conf has Encryption Always, cupsd.conf has Encryption Required inside the
Any ideas?
OKCUPS.org User: mike
You MUST use SSLPort/SSLListen in cupsd.conf if you use "Encryption Always" in client.conf. Please confirm that you are using SSLPort or SSLListen in the server's cupsd.conf file.
michaelrsweet
commented
20 years ago CUPS.org User: minfrin.sharp
"SSLListen" is being used in this case. There is no use of "Listen" anywhere in the file.
In this case, SSLListen and Encryption Always is being used. The CUPS web based config works, lpr and lpq do not work.
michaelrsweet
commented
20 years ago CUPS.org User: mike
OK, are you using CUPS 1.1.17 for these tests? Your previous message indicated that the 1.1.20 code did not work for you - did you revert to 1.1.17 again?
michaelrsweet
commented
20 years ago CUPS.org User: twaugh.redhat
In cups/dest.c, function cups_get_sdests(), try making this change:
It doesn't seem to make the problem go away, but it is at least one source of unencryption connections.
michaelrsweet
commented
20 years ago CUPS.org User: twaugh.redhat
Actually, now that I've corrected my cupsd.conf (only had Allow From 127.0.0.1, but client.conf had the FQDN), this seems to be working for me.
michaelrsweet
commented
20 years ago CUPS.org User: mike
Tim, thanks for the patch, applied for 1.1.21.
Minfrin, can you verify for us?
michaelrsweet
commented
20 years ago CUPS.org User: mike
Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.
michaelrsweet
commented
20 years ago "client.conf":
#
#
#
#
#
#
#
########################################################################
########################################################################
#
#
ServerName ipp.xxx.xxx.xxx
#
#
#
#
#
Encryption Always
#
#
Version: 1.1.17 CUPS.org User: minfrin.sharp
If CUPS is set up as a secure SSL enabled print server, windows IPP print clients have no problems printing to this server.
In addition, the CUPS web based interface has no problems attaching to the CUPS server, and viewing the status of printers.
lpr as supplied by CUPS however is incapable of connecting to the CUPS server when SSL is switched on. This makes it impossible to print from legacy unix applications that print to lpr. (This is an enormous showstopper for us, as we have to temporarily downgrade the printserver to non secure in order to print out monthly invoice run, during which time windows printers cannot print).
lpq has the same problem.
If an attempt is made to run an strace on lpq, it shows that it does open /etc/cups/client.conf, however the "Encryption Always" config is ignored.
The cups log shows that attempts are made to connect to the CUPS server clear text, which causes SSL to complain:
E [25/Mar/2004:14:25:59 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request E [25/Mar/2004:14:25:59 +0200] Bad request line "/1.1"! E [25/Mar/2004:14:25:59 +0200] EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
Please can you fix this bug urgently, as it means that unix based printers cannot participate in a secure printing environment.