[cups] Authentication for thee but not for me

Helge Blischke helgeblischke at web.de
Mon Mar 21 05:15:55 PDT 2016 

Looking through various bug reports referencing the same error message in cups’ error_log, I found a hint you could at least try (cited from memory):
"… SSLPort 631 implies that the initial connection already should be encrypted, contrary to the normal proceeding 
(initiate an unencrypted connection and switch to encryption in a second step). So "Encryption always“ in cupsd.conf seems to be the
only means to fix this issue …“
From the bug reports I scanned it seems that the issue may be dependent on the TLS (or SSL) version installed.

Helge

> Am 20.03.2016 um 23:42 schrieb Rick Cochran <rcc2 at cornell.edu>:
> 
> OK. I have done some more research. It seems likely that I will be unable to use SSL encryption for job submission and NOT use SSL encryption for job submission at the same time. Duh.
> 
> So I am adding "-E" to the "lp" command.
> 
> I have attached the full command, the error message it returns, the error_log entries produced, and my cupsd.conf.
> 
> BTW, adding "-o encryption=always" produces the same result.
> 
> Help would be appreciated.
> 
> -Rick
> 
> 
> On 3/19/16 5:37 PM, Rick Cochran wrote:
>> I have done a bit of research.
>> 
>> The command PaperCut is using to move print jobs is:
>> 
>>   lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw
>> "%spoolfile%"
>> 
>> but I can change it to whatever I want.
>> 
>> The error messages I am getting when PaperCut attempts to move a print job are:
>> 
>>   Unable to encrypt connection from localhost - A record packet with illegal
>> version was received.
>> 
>> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_
>> connections to port 631 will require SSL.
>> 
>> A relevant section of cupsd.conf is:
>> 
>>   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
>> Set-Job-Attributes Create-Job-Subscription Renew-Subscription
>> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
>> Suspend-Current-Job Resume-Job CUPS-Move-Job>
>>     AuthType Basic
>>     Encryption Required
>>     Order deny,allow
>>   </Limit>
>> 
>> If this were an Apache httpd.conf, I could use
>> 
>>     <If "%{REMOTE_ADDR} != '127.0.0.1'">
>>       AuthType Basic
>>       Encryption Required
>>       Order deny,allow
>>     </If>
>> 
>> However the "If" directive is not found in the list of cupsd.conf directives.
>> 
>> I'm beginning to think we will not be able to make this work, in which case we
>> will have to switch everything to Windows.
>> 
>> Yuck!
>> 
>> -Rick
>> 
>> 
>> On 3/16/16 6:22 PM, Rick Cochran wrote:
>>> Hi,
>>> 
>>> The PaperCut "Print Provider" (the part of PaperCut which runs on print servers)
>>> sometimes needs to execute CUPS commands to move print jobs from one queue to
>>> another.
>>> 
>>> We have cupsd.conf configured to require SSL-encrypted IPP Basic Authentication
>>> for print job submission. I am wondering if it is possible to also allow
>>> unauthenticated (at least by IPPS) actions by processes running on the CUPS
>>> server.
>>> 
>>> If so, I'm wondering what that would look like in cupsd.conf.
>>> 
>>> Thanks,
>>> -Rick
> <details.txt>_______________________________________________
> cups mailing list
> cups at cups.org <mailto:cups at cups.org>
> https://www.cups.org/mailman/listinfo/cups <https://www.cups.org/mailman/listinfo/cups>

More information about the cups mailing list