Delete printer remotely, firefox: cannot communicate securely

Chris Martin cmartin at spamcop.net
Sat Jul 15 03:03:51 PDT 2006 

cups-1.2.1-r2 on Gentoo 2006.0

The server is set up (using local administration) to allow remote administration. On trying to delete a printer from another machine (running the same version of CUPS on Gentoo 2006.0 as well), the messages

"426 Upgrade Required

You must access this page using the URL https://192.168.1.36:631/admin/?op=delete-printer&printer_name=EPL6200."

followed by a popup from Firefox (1.5.0.4)

"Firefox and 192.168.1.36 cannot communicate securely because they
have no common encryption algorithms."

Nothing in either error_log or access_log on the workstation (192.168.1.37). On the server (192.168.1.36), what seem to be the relevant lines of error_log are (loglevel set to debug)

D [15/Jul/2006:10:46:52 +0100] cupsdReadClient: 7 GET /admin/?op=delete-printer&printer_na
me=EPL6200 HTTP/1.1
D [15/Jul/2006:10:46:52 +0100] cupsdReadClient: 7 Browser asked for language "en-us.utf-8"
...
D [15/Jul/2006:10:46:52 +0100] cupsdAuthorize: No authentication data provided.
D [15/Jul/2006:10:46:52 +0100] cupsdSendError: 7 code=426 (Upgrade Required)
D [15/Jul/2006:10:46:52 +0100] cupsdCloseClient: 7
D [15/Jul/2006:10:46:55 +0100] cupsdAcceptClient: 7 from 192.168.1.37:631 (IPv4)
E [15/Jul/2006:10:46:55 +0100] encrypt_client: Unable to encrypt connection from 192.168.1
.37!
E [15/Jul/2006:10:46:55 +0100] encrypt_client: error:1408A0C1:SSL routines:SSL3_GET_CLIENT
_HELLO:no shared cipher

access_log just has

192.168.1.37 - - [15/Jul/2006:10:46:52 +0100] "GET /admin/?op=delete-printer&printer_name=
EPL6200 HTTP/1.1" 426 0 - -

cupsd.conf for the server (192.168.1.36):

# Show troubleshooting information in error_log.
LogLevel debug
SystemGroup lpadmin
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
DefaultAuthType Basic
<Location />
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Encryption Required
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow @LOCAL
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attrib
utes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Repr
ocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel a job...
  <Limit Cancel-Job>
    Order deny,allow
    Require user @OWNER @SYSTEM
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

Looking for the error on the 'net it seemed to be connected with missing certificates, here is /etc/cups/certs
bigfoot ~ # /bin/ls -l /etc/cups/certs
total 4
-r--r----- 1 root lp 32 2006-07-14 11:09 0

On the workstation (192.168.1.37), cupsd.conf is as it was installed except that Gentoo recommends, for remote printing, changing "Listen localhost:631" to "Listen *:631"

#
# "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup lpadmin

# Only listen for connections from the local machine.
Listen *:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow localhost
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Encryption Required
  Order allow,deny
  Allow localhost
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attrib
utes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Repr
ocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $".
#

More information about the cups-devel mailing list