[cups.general] Adding Encrypted Printer
Michael R Sweet
msweet at apple.com
Mon Apr 20 13:10:37 PDT 2009
You need at least CUPS 1.2.0 for the encryption option to work.
On Apr 20, 2009, at 12:17 PM, James Chase wrote:
> Ok, I removed Encryption Always from the server. But I now get this
> error on the server when trying to print from the client.
>
> print_job: resource name '/printers/lpoe?encryption=always' no good!
>
> The server is an OLD version of CUPS (1.1.17) so maybe this is part
> of the problem. It is running CentOS 3. The client is a recent
> version of CUPS (1.2.4) on CentOS 5.
>
> Also I am not sure what the maximum bits of encryption are for the
> old version of CUPS. It does not come with a key or crt so I created
> my own before and used 512 bit encryption. In the online manual for
> this version of CUPS they mention 128 bit -- I can't even create an
> RSA encrypted certificate that is less than 512bit. I assume if
> openssl created it, and CUPS is compiled to use openssl -- it should
> work.
>
> Still when I create a printer:
>
> /usr/sbin/lpadmin -p RW-lpoe2 -E -v "ipp://209.x.x.x:10443/printers/lpoe
> " -m raw
>
> And try a test page, I get "unable to retrieve http://209.x.x.:10443/printers/lpoe?op=print-test-page
> connection reset by peer" on the client and "EncryptClient: error:
> 1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request" in the
> cups error_log on the server. So something is afoot with the SSL
> communication process.
>
>
>>
>> --Apple-Mail-3--59052478
>> Content-Transfer-Encoding: 7bit
>> Content-Type: text/plain;
>> charset=us-ascii;
>> format=flowed;
>> delsp=yes
>>
>> You can't set "Encryption Always" on the server, since the Encryption
>> directive is only valid for locations and policies. Use SSLPort or
>> SSLListen for that.
>>
>> That said, for any recent CUPS release, the auto-SSL code should pick
>> up on the SSL encryption from the client end without problems.
>>
>> CENTOS does ship with SSL support (via OpenSSL), so either you don't
>> have a valid SSL certificate for CUPS setup (it should create a
>> certificate and private key automatically, but if an invalid one is
>> supplied it will spit out an error...) or the client-side is not
>> configured properly.
>>
>> If you *are* printing to another CUPS server, the URI you are
>> providing is invalid. The correct URI format for a SSL connection is:
>>
>> ipp://host-or-ip:port/printers/printername?encryption=always
>>
>> Alternately you can use "encryption=required" to do the HTTP Upgrade
>> thing.
>>
>>
>> On Apr 19, 2009, at 7:53 PM, James Chase wrote:
>>
>>>> See the documentation at:
>>>>
>>>> http://www.cups.org/documentation.php/network.html
>>>>
>>>> Basically, add "?encryption=always" to the end of an IPP URI, e.g.:
>>>>
>>>> /usr/sbin/lpadmin -p rwssl4 -E -v "ipp://209.119.222.222:631/?encryption=always
>>>> " -m raw
>>>>
>>>> On Apr 15, 2009, at 10:00 AM, James Chase wrote:
>>>>
>>>>> I'm trying to add a printer that uses SSL encryption. When I run
>>>>> this command I get the following error
>>>>>
>>>>> # /usr/sbin/lpadmin -p rwssl4 -E -v https://209.119.222.222:631 -m
>>>>> raw
>>>>>
>>>>> lpadmin: Bad device-uri "https://209.119.188.226:631"!
>>>>>
>>>>> How can you setup a printer for communication over SSL if not by
>>>>> specifying https?
>>>>> _______________________________________________
>>>>> cups mailing list
>>>>> cups at easysw.com
>>>>> http://lists.easysw.com/mailman/listinfo/cups
>>>>
>>>> ____________________________________
>>>> Michael R Sweet, Senior Printing System Engineer
>>>>
>>>>
>>>>
>>>
>>> I get the following error on error_log on the CUPS server
>>>
>>> EncryptClient: error:1407609C:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:http request
>>>
>>> I have "Encryption Always" on the directive for the printer on the
>>> CUPS Server, and on the CUPS client I added ?encryption=always as
>>> you and the documentation make note of.
>>>
>>> Could this be indicative of no SSL support on my client CUPS? It
>>> seems off that SSL would not be compiled into CUPS in the package
>>> release (it is CentOS 5).
>>>
>>> Any ideas?
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>>
>> ________________________________________
>> Michael R Sweet, Senior Printing System Engineer
>>
>>
>> --Apple-Mail-3--59052478
>> Content-Transfer-Encoding: quoted-printable
>> Content-Type: text/html;
>> charset=us-ascii
>>
>> <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:
>> space; =
>> -webkit-line-break: after-white-space; ">You can't set "Encryption =
>> Always" on the server, since the Encryption directive is only valid
>> for =
>> locations and policies. Use SSLPort or SSLListen for =
>> that.<div><br></div><div>That said, for any recent CUPS release,
>> the =
>> auto-SSL code should pick up on the SSL encryption from the client
>> end =
>> without problems.</div><div><br></div><div>CENTOS does ship with
>> SSL =
>> support (via OpenSSL), so either you don't have a valid SSL
>> certificate =
>> for CUPS setup (it should create a certificate and private key =
>> automatically, but if an invalid one is supplied it will spit out
>> an =
>> error...) or the client-side is not configured =
>> properly.</div><div><br></div><div>If you *are* printing to another
>> CUPS =
>> server, the URI you are providing is invalid. The correct URI
>> format for =
>> a SSL connection is:</div><div><br></div><div> <a =
>> href=3D"ipp://host-or-ip:port/printers/printername?encryption=3Dalways
>> ">ip=
>> p://host-or-ip:port/printers/printername?encryption=3Dalways</a></
>> div><div=
>>> <br></div><div>Alternately you can use "encryption=3Drequired" to
>>> do =
>> the HTTP Upgrade =
>> thing.</div><div><br></div><div><br></div><div><div><div><div>On
>> Apr 19, =
>> 2009, at 7:53 PM, James Chase wrote:</div><br =
>> class=3D"Apple-interchange-newline"><blockquote =
>> type=3D"cite"><div><blockquote type=3D"cite">See the documentation =
>> at:<br></blockquote><blockquote type=3D"cite"><br></
>> blockquote><blockquote=
>> type=3D"cite"> <a =
>> href=3D"http://www.cups.org/documentation.php/network.html">http://
>> www.cup=
>> s.org/documentation.php/network.html</a><br></
>> blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote type=3D"cite">Basically,
>> add =
>> "?encryption=3Dalways" to the end of an IPP URI, =
>> e.g.:<br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =
>> /usr/sbin/lpadmin -p rwssl4 -E -v "<a =
>> href=3D"ipp://209.119.222.222:631/?encryption=3Dalways">ipp://
>> 209.119.222.=
>> 222:631/?encryption=3Dalways</a><br></blockquote><blockquote =
>> type=3D"cite">" -m raw<br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote type=3D"cite">On Apr 15, =
>> 2009, at 10:00 AM, James Chase wrote:<br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote
>> type=3D"cite"><blockquote =
>> type=3D"cite">I'm trying to add a printer that uses SSL encryption.
>> When =
>> I run<br></blockquote></blockquote><blockquote
>> type=3D"cite"><blockquote =
>> type=3D"cite">this command I get the following =
>> error<br></blockquote></blockquote><blockquote
>> type=3D"cite"><blockquote =
>> type=3D"cite"><br></blockquote></blockquote><blockquote =
>> type=3D"cite"><blockquote type=3D"cite"># /usr/sbin/lpadmin -p
>> rwssl4 -E =
>> -v <a href=3D"https://209.119.222.222:631">https://
>> 209.119.222.222:631</a>=
>> -m raw<br></blockquote></blockquote><blockquote
>> type=3D"cite"><blockquote=
>> type=3D"cite"><br></blockquote></blockquote><blockquote =
>> type=3D"cite"><blockquote type=3D"cite">lpadmin: Bad device-uri "<a =
>> href=3D"https://209.119.188.226:631">https://209.119.188.226:631</
>> a>"!<br>=
>> </blockquote></blockquote><blockquote type=3D"cite"><blockquote =
>> type=3D"cite"><br></blockquote></blockquote><blockquote =
>> type=3D"cite"><blockquote type=3D"cite">How can you setup a printer
>> for =
>> communication over SSL if not =
>> by<br></blockquote></blockquote><blockquote
>> type=3D"cite"><blockquote =
>> type=3D"cite">specifying https?<br></blockquote></
>> blockquote><blockquote =
>> type=3D"cite"><blockquote =
>> type=3D"cite">_______________________________________________<br></
>> blockqu=
>> ote></blockquote><blockquote type=3D"cite"><blockquote
>> type=3D"cite">cups =
>> mailing list<br></blockquote></blockquote><blockquote =
>> type=3D"cite"><blockquote type=3D"cite"><a =
>> href=3D"mailto:cups at easysw.com">cups at easysw.com</a><br></
>> blockquote></bloc=
>> kquote><blockquote type=3D"cite"><blockquote type=3D"cite"><a =
>> href=3D"http://lists.easysw.com/mailman/listinfo/cups">http://
>> lists.easysw=
>> ..com/mailman/listinfo/cups</a><br></blockquote></
>> blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote =
>> type=3D"cite">____________________________________<br></
>> blockquote><blockq=
>> uote type=3D"cite">Michael R Sweet, Senior Printing System =
>> Engineer<br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><blockquote =
>> type=3D"cite"><br></blockquote><br>I get the following error on =
>> error_log on the CUPS server<br><br>EncryptClient: error:
>> 1407609C:SSL =
>> routines:SSL23_GET_CLIENT_HELLO:http request<br><br>I have
>> "Encryption =
>> Always" on the directive for the printer on the CUPS Server, and on
>> the =
>> CUPS client I added ?encryption=3Dalways as you and the
>> documentation =
>> make note of.<br><br>Could this be indicative of no SSL support on
>> my =
>> client CUPS? It seems off that SSL would not be compiled into CUPS
>> in =
>> the package release (it is CentOS 5).<br><br>Any =
>> ideas?<br>_______________________________________________<br>cups =
>> mailing list<br><a =
>> href=3D"mailto:cups at easysw.com">cups at easysw.com</a><br><a =
>> href=3D"http://lists.easysw.com/mailman/listinfo/cups">http://
>> lists.easysw=
>> ..com/mailman/listinfo/cups</a><br></div></blockquote></div><br><div>
>> <span class=3D"Apple-style-span" style=3D"border-collapse:
>> separate; =
>> color: rgb(0, 0, 0); font-family: Monaco; font-size: 12px; font-
>> style: =
>> normal; font-variant: normal; font-weight: normal; letter-spacing: =
>> normal; line-height: normal; orphans: 2; text-align: auto; text-
>> indent: =
>> 0px; text-transform: none; white-space: normal; widows: 2; word-
>> spacing: =
>> 0px; -webkit-border-horizontal-spacing: 0px; =
>> -webkit-border-vertical-spacing: 0px; =
>> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
>> auto; -webkit-text-stroke-width: 0px; "><span class=3D"Apple-style-
>> span" =
>> style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-
>> family: =
>> Helvetica; font-size: 12px; font-style: normal; font-variant:
>> normal; =
>> font-weight: normal; letter-spacing: normal; line-height: normal; =
>> orphans: 2; text-indent: 0px; text-transform: none; white-space:
>> normal; =
>> widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing:
>> 0px; =
>> -webkit-border-vertical-spacing: 0px; =
>> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
>> auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
>> break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
>> after-white-space; =
>> "><div><div>________________________________________</
>> div><div>Michael R =
>> Sweet, Senior Printing System Engineer</div></div></div></span></
>> span>
>> </div>
>> <br></div></div></body></html>=
>>
>> --Apple-Mail-3--59052478--
>>
>
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups
____________________________________
Michael R Sweet, Senior Printing System Engineer
More information about the cups
mailing list