[cups] Authentication for thee but not for me
Helge Blischke
helgeblischke at web.de
Mon Mar 21 05:15:55 PDT 2016
Looking through various bug reports referencing the same error message in cups’ error_log, I found a hint you could at least try (cited from memory):
"… SSLPort 631 implies that the initial connection already should be encrypted, contrary to the normal proceeding
(initiate an unencrypted connection and switch to encryption in a second step). So "Encryption always“ in cupsd.conf seems to be the
only means to fix this issue …“
From the bug reports I scanned it seems that the issue may be dependent on the TLS (or SSL) version installed.
Helge
> Am 20.03.2016 um 23:42 schrieb Rick Cochran <rcc2 at cornell.edu>:
>
> OK. I have done some more research. It seems likely that I will be unable to use SSL encryption for job submission and NOT use SSL encryption for job submission at the same time. Duh.
>
> So I am adding "-E" to the "lp" command.
>
> I have attached the full command, the error message it returns, the error_log entries produced, and my cupsd.conf.
>
> BTW, adding "-o encryption=always" produces the same result.
>
> Help would be appreciated.
>
> -Rick
>
>
> On 3/19/16 5:37 PM, Rick Cochran wrote:
>> I have done a bit of research.
>>
>> The command PaperCut is using to move print jobs is:
>>
>> lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw
>> "%spoolfile%"
>>
>> but I can change it to whatever I want.
>>
>> The error messages I am getting when PaperCut attempts to move a print job are:
>>
>> Unable to encrypt connection from localhost - A record packet with illegal
>> version was received.
>>
>> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_
>> connections to port 631 will require SSL.
>>
>> A relevant section of cupsd.conf is:
>>
>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
>> Set-Job-Attributes Create-Job-Subscription Renew-Subscription
>> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
>> Suspend-Current-Job Resume-Job CUPS-Move-Job>
>> AuthType Basic
>> Encryption Required
>> Order deny,allow
>> </Limit>
>>
>> If this were an Apache httpd.conf, I could use
>>
>> <If "%{REMOTE_ADDR} != '127.0.0.1'">
>> AuthType Basic
>> Encryption Required
>> Order deny,allow
>> </If>
>>
>> However the "If" directive is not found in the list of cupsd.conf directives.
>>
>> I'm beginning to think we will not be able to make this work, in which case we
>> will have to switch everything to Windows.
>>
>> Yuck!
>>
>> -Rick
>>
>>
>> On 3/16/16 6:22 PM, Rick Cochran wrote:
>>> Hi,
>>>
>>> The PaperCut "Print Provider" (the part of PaperCut which runs on print servers)
>>> sometimes needs to execute CUPS commands to move print jobs from one queue to
>>> another.
>>>
>>> We have cupsd.conf configured to require SSL-encrypted IPP Basic Authentication
>>> for print job submission. I am wondering if it is possible to also allow
>>> unauthenticated (at least by IPPS) actions by processes running on the CUPS
>>> server.
>>>
>>> If so, I'm wondering what that would look like in cupsd.conf.
>>>
>>> Thanks,
>>> -Rick
> <details.txt>_______________________________________________
> cups mailing list
> cups at cups.org <mailto:cups at cups.org>
> https://www.cups.org/mailman/listinfo/cups <https://www.cups.org/mailman/listinfo/cups>
More information about the cups
mailing list