Adding Encrypted Printer
James Chase
james at mandala-designs.com
Mon Apr 20 12:17:21 PDT 2009
Ok, I removed Encryption Always from the server. But I now get this error on the server when trying to print from the client.
print_job: resource name '/printers/lpoe?encryption=always' no good!
The server is an OLD version of CUPS (1.1.17) so maybe this is part of the problem. It is running CentOS 3. The client is a recent version of CUPS (1.2.4) on CentOS 5.
Also I am not sure what the maximum bits of encryption are for the old version of CUPS. It does not come with a key or crt so I created my own before and used 512 bit encryption. In the online manual for this version of CUPS they mention 128 bit -- I can't even create an RSA encrypted certificate that is less than 512bit. I assume if openssl created it, and CUPS is compiled to use openssl -- it should work.
Still when I create a printer:
/usr/sbin/lpadmin -p RW-lpoe2 -E -v "ipp://209.x.x.x:10443/printers/lpoe" -m raw
And try a test page, I get "unable to retrieve http://209.x.x.:10443/printers/lpoe?op=print-test-page connection reset by peer" on the client and "EncryptClient: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request" in the cups error_log on the server. So something is afoot with the SSL communication process.
>
> --Apple-Mail-3--59052478
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> charset=us-ascii;
> format=flowed;
> delsp=yes
>
> You can't set "Encryption Always" on the server, since the Encryption
> directive is only valid for locations and policies. Use SSLPort or
> SSLListen for that.
>
> That said, for any recent CUPS release, the auto-SSL code should pick
> up on the SSL encryption from the client end without problems.
>
> CENTOS does ship with SSL support (via OpenSSL), so either you don't
> have a valid SSL certificate for CUPS setup (it should create a
> certificate and private key automatically, but if an invalid one is
> supplied it will spit out an error...) or the client-side is not
> configured properly.
>
> If you *are* printing to another CUPS server, the URI you are
> providing is invalid. The correct URI format for a SSL connection is:
>
> ipp://host-or-ip:port/printers/printername?encryption=always
>
> Alternately you can use "encryption=required" to do the HTTP Upgrade
> thing.
>
>
> On Apr 19, 2009, at 7:53 PM, James Chase wrote:
>
> >> See the documentation at:
> >>
> >> http://www.cups.org/documentation.php/network.html
> >>
> >> Basically, add "?encryption=always" to the end of an IPP URI, e.g.:
> >>
> >> /usr/sbin/lpadmin -p rwssl4 -E -v "ipp://209.119.222.222:631/?encryption=always
> >> " -m raw
> >>
> >> On Apr 15, 2009, at 10:00 AM, James Chase wrote:
> >>
> >>> I'm trying to add a printer that uses SSL encryption. When I run
> >>> this command I get the following error
> >>>
> >>> # /usr/sbin/lpadmin -p rwssl4 -E -v https://209.119.222.222:631 -m
> >>> raw
> >>>
> >>> lpadmin: Bad device-uri "https://209.119.188.226:631"!
> >>>
> >>> How can you setup a printer for communication over SSL if not by
> >>> specifying https?
> >>> _______________________________________________
> >>> cups mailing list
> >>> cups at easysw.com
> >>> http://lists.easysw.com/mailman/listinfo/cups
> >>
> >> ____________________________________
> >> Michael R Sweet, Senior Printing System Engineer
> >>
> >>
> >>
> >
> > I get the following error on error_log on the CUPS server
> >
> > EncryptClient: error:1407609C:SSL
> > routines:SSL23_GET_CLIENT_HELLO:http request
> >
> > I have "Encryption Always" on the directive for the printer on the
> > CUPS Server, and on the CUPS client I added ?encryption=always as
> > you and the documentation make note of.
> >
> > Could this be indicative of no SSL support on my client CUPS? It
> > seems off that SSL would not be compiled into CUPS in the package
> > release (it is CentOS 5).
> >
> > Any ideas?
> > _______________________________________________
> > cups mailing list
> > cups at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups
>
> ________________________________________
> Michael R Sweet, Senior Printing System Engineer
>
>
> --Apple-Mail-3--59052478
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html;
> charset=us-ascii
>
> <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
> -webkit-line-break: after-white-space; ">You can't set "Encryption =
> Always" on the server, since the Encryption directive is only valid for =
> locations and policies. Use SSLPort or SSLListen for =
> that.<div><br></div><div>That said, for any recent CUPS release, the =
> auto-SSL code should pick up on the SSL encryption from the client end =
> without problems.</div><div><br></div><div>CENTOS does ship with SSL =
> support (via OpenSSL), so either you don't have a valid SSL certificate =
> for CUPS setup (it should create a certificate and private key =
> automatically, but if an invalid one is supplied it will spit out an =
> error...) or the client-side is not configured =
> properly.</div><div><br></div><div>If you *are* printing to another CUPS =
> server, the URI you are providing is invalid. The correct URI format for =
> a SSL connection is:</div><div><br></div><div> <a =
> href=3D"ipp://host-or-ip:port/printers/printername?encryption=3Dalways">ip=
> p://host-or-ip:port/printers/printername?encryption=3Dalways</a></div><div=
> ><br></div><div>Alternately you can use "encryption=3Drequired" to do =
> the HTTP Upgrade =
> thing.</div><div><br></div><div><br></div><div><div><div><div>On Apr 19, =
> 2009, at 7:53 PM, James Chase wrote:</div><br =
> class=3D"Apple-interchange-newline"><blockquote =
> type=3D"cite"><div><blockquote type=3D"cite">See the documentation =
> at:<br></blockquote><blockquote type=3D"cite"><br></blockquote><blockquote=
> type=3D"cite"> <a =
> href=3D"http://www.cups.org/documentation.php/network.html">http://www.cup=
> s.org/documentation.php/network.html</a><br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote type=3D"cite">Basically, add =
> "?encryption=3Dalways" to the end of an IPP URI, =
> e.g.:<br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =
> /usr/sbin/lpadmin -p rwssl4 -E -v "<a =
> href=3D"ipp://209.119.222.222:631/?encryption=3Dalways">ipp://209.119.222.=
> 222:631/?encryption=3Dalways</a><br></blockquote><blockquote =
> type=3D"cite">" -m raw<br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote type=3D"cite">On Apr 15, =
> 2009, at 10:00 AM, James Chase wrote:<br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote =
> type=3D"cite">I'm trying to add a printer that uses SSL encryption. When =
> I run<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote =
> type=3D"cite">this command I get the following =
> error<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote =
> type=3D"cite"><br></blockquote></blockquote><blockquote =
> type=3D"cite"><blockquote type=3D"cite"># /usr/sbin/lpadmin -p rwssl4 -E =
> -v <a href=3D"https://209.119.222.222:631">https://209.119.222.222:631</a>=
> -m raw<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote=
> type=3D"cite"><br></blockquote></blockquote><blockquote =
> type=3D"cite"><blockquote type=3D"cite">lpadmin: Bad device-uri "<a =
> href=3D"https://209.119.188.226:631">https://209.119.188.226:631</a>"!<br>=
> </blockquote></blockquote><blockquote type=3D"cite"><blockquote =
> type=3D"cite"><br></blockquote></blockquote><blockquote =
> type=3D"cite"><blockquote type=3D"cite">How can you setup a printer for =
> communication over SSL if not =
> by<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote =
> type=3D"cite">specifying https?<br></blockquote></blockquote><blockquote =
> type=3D"cite"><blockquote =
> type=3D"cite">_______________________________________________<br></blockqu=
> ote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">cups =
> mailing list<br></blockquote></blockquote><blockquote =
> type=3D"cite"><blockquote type=3D"cite"><a =
> href=3D"mailto:cups at easysw.com">cups at easysw.com</a><br></blockquote></bloc=
> kquote><blockquote type=3D"cite"><blockquote type=3D"cite"><a =
> href=3D"http://lists.easysw.com/mailman/listinfo/cups">http://lists.easysw=
> ..com/mailman/listinfo/cups</a><br></blockquote></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote =
> type=3D"cite">____________________________________<br></blockquote><blockq=
> uote type=3D"cite">Michael R Sweet, Senior Printing System =
> Engineer<br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><blockquote =
> type=3D"cite"><br></blockquote><br>I get the following error on =
> error_log on the CUPS server<br><br>EncryptClient: error:1407609C:SSL =
> routines:SSL23_GET_CLIENT_HELLO:http request<br><br>I have "Encryption =
> Always" on the directive for the printer on the CUPS Server, and on the =
> CUPS client I added ?encryption=3Dalways as you and the documentation =
> make note of.<br><br>Could this be indicative of no SSL support on my =
> client CUPS? It seems off that SSL would not be compiled into CUPS in =
> the package release (it is CentOS 5).<br><br>Any =
> ideas?<br>_______________________________________________<br>cups =
> mailing list<br><a =
> href=3D"mailto:cups at easysw.com">cups at easysw.com</a><br><a =
> href=3D"http://lists.easysw.com/mailman/listinfo/cups">http://lists.easysw=
> ..com/mailman/listinfo/cups</a><br></div></blockquote></div><br><div>
> <span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
> color: rgb(0, 0, 0); font-family: Monaco; font-size: 12px; font-style: =
> normal; font-variant: normal; font-weight: normal; letter-spacing: =
> normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =
> 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
> 0px; -webkit-border-horizontal-spacing: 0px; =
> -webkit-border-vertical-spacing: 0px; =
> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
> auto; -webkit-text-stroke-width: 0px; "><span class=3D"Apple-style-span" =
> style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
> Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
> font-weight: normal; letter-spacing: normal; line-height: normal; =
> orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
> widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
> -webkit-border-vertical-spacing: 0px; =
> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
> auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
> break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
> after-white-space; =
> "><div><div>________________________________________</div><div>Michael R =
> Sweet, Senior Printing System Engineer</div></div></div></span></span>
> </div>
> <br></div></div></body></html>=
>
> --Apple-Mail-3--59052478--
>
More information about the cups
mailing list