Encryption

[John A. Murdie]

> John A. Murdie wrote:
> > Is there anywhere a more thorough description of CUPS and encryption than the small section in Chapter 5 of the CUPS Book (pp95-100)? I've looked for an article at this site, and have Googled a little - both unsuccessfully.
>
> No, 1.2.x and beyond are largely self-configuring and require
> encryption when authenticating over non-local addresses.
>
> > I've just built an experimental CUPS 1.2.10 with OpenSSL 0.9.8e, with locally-generated certificates, and with:
> > ...
> > and the 443 cupsd dies silently, leaving no trace in the log file
>  > - even though I have `LogLevel debug2' set.
>
> You don't mention the OS, but if you can either run cupsd with the
> "-f" (foreground) option inside a debugger or using a tracing utility,
> we might be able to identify the problem.
>
> --
> ______________________________________________________________________
> Michael Sweet, Easy Software Products           mike at easysw dot com
> Internet Printing and Document Software          http://www.easysw.com

Ah. The symptom was:

ld.so.1: cupsd: fatal: relocation error: file /usr/local/pkg/cups-1.2.10/sbin/cupsd: symbol _httpBIOMethods: referenced symbol not found

and the problem was that I was linking this experimental cupsd of  1.2.10 by accident against the libcups.so from 1.2.8 that was in /usr/local/lib, the latter built without OpenSSL.

After correcting this, I was pleased to get something that initially appeared to work - I accessed https://cups/ and my SeaMonkey browser asked me to accept the certificate in the usual way, and I was presented with the usual CUPS web interface - showing version 1.2.10. All this with cupsd.conf having:

SSLListen 443

ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key
Encryption Required

Unfortunately, when I clicked the Jobs tab, nothing happened but for an error message in error_log:

E [03/May/2007:16:49:12 +0000] encrypt_client: Unable to encrypt connection from localhost!
D [03/May/2007:16:49:12 +0000] cupsdCloseClient: 11
E [03/May/2007:16:49:12 +0000] PID 4319 (/usr/local/pkg/cups-1.2.10/lib/cups/cgi-bin/jobs.cgi) crashed on signal 10!

A similar thing happens if you click the Printers tab. Nothing in the forums here (searched for "encrypt_client"), or via Google ("+encrypt_client +unable"), to explain this. Exactly the same happens with Firefox as browser.

Turning to the shell commands, I hope that there is no need to use the lpr/lpq etc -E option every time. (The users would never accept it, and would certainly never accept having to type a password in order to print something.) lpq(1) doesn't require a password to be given and works without -E:

$ lpq -hcups:443 -Ppp23
pp23 is ready
no entries
$

When I try:

$ lpr -hcups:443 -Ppp23 tiger.ps
$

nothing appears on the printer, and the log file - with LogLevel debug2 - doesn't change. If instead I try with -E I see:

$ lpr -E -hcups:443 -Ppp23 tiger.ps
lpr: Success
$

which is distracting. Still nothing works.

On another matter, there's apparently no need to generate one's own certificate and key files so long as openssl is in cupsd's PATH - if it is not and you haven't generated the files yet, one sees the Error message (in error.log):

E ... No SSL certificate and openssl command not found!

I generated them by hand with:

$ openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

More generally, in a configuration which uses encryption and listens on port 443, it appears that the BrowsePort is not changed to 443 by default also, and remains as port 631. Is explicitly setting it to 443 the right thing to do? Also, I presume that one has to set /etc/cups/client.conf to contain "cups:443" so that the client systems can use the traffic-encrypted server.

On the matter of documentation, I think there should be some CUPS HOWTO on how to configure encryption and what to expect. Was this what the file ENCRYPTION.txt was for, before 1.2?

John A. Murdie