Encryption

Michael Sweet mike at easysw.com
Fri May 4 06:28:48 PDT 2007 

John A. Murdie wrote:
> ...
> More generally, in a configuration which uses encryption and listens
> on port 443, it appears that the BrowsePort is not changed to 443 by
> default also, and remains as port 631. Is explicitly setting it to
> 443 the right thing to do?

Not generally.  You normally just want to leave it at port 631 and
let the DefaultEncryption stuff kick in.  If you want to be
particularly secure (always encrypt everything), just add:

     Encryption Required

to each location section.  CUPS will automatically redirect
browsers to https: URLs on port 631...

 > Also, I presume that one has to set
> /etc/cups/client.conf to contain "cups:443" so that the client
> systems can use the traffic-encrypted server.

In general, CUPS is much smarter about encryption than your web
browser.  In particular, it supports negotiated encryption ("HTTP
Upgrade" protocol) such that the server can mandate, via the
"Encryption Required" and/or "DefaultEncryption Required" directives
in cupsd.conf, that all connections should be encrypted.  There is
an upgrade handshake between the server and client, and viola the
link is encrypted.

When we're talking to a non-CUPS client, we redirect them to a
https: URL which then uses dedicated SSL.

The CUPS server can use either dedicated or negotiated SSL/TLS over
the same port (a trick I borrowed from the Samba folks), and the
Encryption/DefaultEncryption directives in cupsd.conf enforce your
intent on the server side.

Similarly, the client can require encryption, either via the -E
option for individual requests or in client.conf with the Encryption
directive.  "Encryption Required" does the negotiated SSL method
while "Encryption Always" does the dedicated SSL method.

> On the matter of documentation, I think there should be some CUPS
> HOWTO on how to configure encryption and what to expect. Was this
> what the file ENCRYPTION.txt was for, before 1.2?

Basically, yes.  Feel free to file a feature request for more
documentation, and include a list of the things you'd like to see
covered.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com

More information about the cups mailing list