[cups] secure printing from the CUPS server to the printer

Paul Keck paulkeck at gmail.com
Tue May 3 05:18:21 PDT 2016 

Hi all, I've found some hints in the list archive but I'm hoping there is a
perfect post I'm just missing.

We want to encrypt traffic from a Linux box to the printer.  We're running
Banner and for certain print jobs ("sleep/wake" printing they call it) the
only thing the application supports is to print to a local queue.  In the
past we've used Cappella Tech SecureDIMMs to encrypt the traffic from the
Banner server to the printer but they are getting long in the tooth- the
last "supported printers" list is from 2006.  You can still buy them but how
long can this last, I ask you?  So we are exploring alternatives.

SSL or TLS printing sounds like it should do what we want, but I've messed
with it a couple of days without getting it to work.  (On an HP CLJ 4525 and
HP LJ 9050.) Most people using CUPS seem to want to set it up to be secure
from the client desktop to the CUPS server, but since that part is local I
don't think I care about that.

This comes the closest to what I think I need:

http://forums.openprinting.org/read.php?19,14981,14981

Our production stuff is all RHEL6 or RHEL7; I've been testing from my Linux
Mint (Ubuntu) desktop without success.  I can set up a non-encrypted print
queue just fine and print test pages using the DeviceURI

ipp://hp9050-1.blarg.usg.edu:631/ipp

but if I use

ipp://hp9050-1.uso.bor.usg.edu/ipp?encryption=always

or

ipp://hp9050-1.uso.bor.usg.edu/ipp?encryption=required

I just get

"The printer is not responding."

I've tried lots of variation of ipp and ipps and https but nothing seems to
work out.  I've let the printer make itself a self-signed cert and I've
tried it with
one I created using the procedure on that web page.  I haven't used a "real"
cert yet- is that required?

Most of the HOWTOs I've run across for securing printing talk more about the
incoming queue, but I have not bothered with that half of it since it's a
local queue.
Is that a mistake?  Does the incoming stuff have to be encrypted too?

Anyone had luck with this who can share their solutions?  Surely
I'm just missing something simple!  Thanks!

-Paul Keck

More information about the cups mailing list