[cups.bugs] SSL by default

Michael Sweet mike at easysw.com
Wed Feb 8 05:13:12 PST 2006 

Johannes Meixner wrote:
 > ...
> Details:
> 
> Normally the CUPS web-interface uses the HTTP protocol.
> "basic" authentication via HTTP protocol sends the credentials
> unencrypted (only base64 encoded) via network.

"Encryption Required" will be part of the default configuration
when the host supports encryption...  This kicks in *before*
the authentication checks, so before the user gets the
authentication challenge they will be redirected to a https:
URL...

> Even "digest" authentication is actually not more secure, see
> in the "CUPS Software Administrators Manual" the sections
> "Using Basic Authentication" and "Using Digest Authentication". 

Yeah, I know, I wrote that part of the documentation... :)

> As far as I know this is because nowadays a brute-force attack
> may take only a few hours (or a few days) to find a clear text
> string for a given MD5 sum.

Right, however just brute-forcing the MD5 sum is only effective
from the same IP, and if we ever add md5-sess support (which
does a sum of the whole message) then it will be that much
harder...

Anyways, SSL/TLS is a simpler solution...

> Therefore the problem is:
> How to avoid that innocent persons send the root password
> in an unencrypted way via network.
> 
> I think the solution is to allow only HTTPS for administration
> by having by default in cupsd.conf
> ---------------------------------------
> <Location /admin>
> ...
> Encryption Required
> ---------------------------------------

See above...

> The problems with "Encryption Required" are:
> 
> - Neither Mozilla nor Konqueror work with
>   "Upgrading to TLS Within HTTP".
>   But this problem is solved in CUPS 1.2 via redirection.
> 
> - How to get the necessary certificates?
>   SSL/TLS by default requires to have by default the files
>   /etc/cups/ssl/server.key and /etc/cups/ssl/server.crt
>   Could those files be autogenerated during the
>   installation of CUPS?

Yes.

>   For example as described in ENCRYPTION.txt via
>     openssl req -new -x509 -keyout /etc/cups/ssl/server.key \
>         -out /etc/cups/ssl/server.crt -days 365 -nodes
>     chmod 600 /etc/cups/ssl/server.*
>   Of course such self-signed certificates are only meant
>   to get the data transfer encrypted and cannot make sure
>   that really the right CUPS server machine is accessed.

That is something the web browser (and eventually the CUPS client)
can detect - the first time you access a server, the certificate is
cached so that changes to the certificate will be noticed (that
doesn't help the initial connection spoofing, of course, but that
is what CA-signed certificates are for...)

> - If there are already certificates on a system (e.g. really
>   signed certificates), they cannot be directly used by
>   the cupsd via something like
>     ServerCertificate /etc/ssl/servercerts/servercert.pem
>     ServerKey /etc/ssl/servercerts/serverkey.pem
>   because the cupsd (at least in CUPS 1.1) would brutally
>   change owner, group and permissions of those files
>   so that other services can no longer use them.
 > ...

This has been changed in CUPS 1.2 - if the files are not under
/etc/cups (or whatever ServerRoot is set to), then the permissions
are not changed.

(brutally? :)

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Publishing Software        http://www.easysw.com

More information about the cups-devel mailing list