[cups] cups-2.3b8: Unable to encrypt connection: A TLS fatal alert has been received
Matthias Apitz
guru at unixarea.de
Sat Feb 4 02:15:04 PST 2023
Hello,
We face a problem with an own compiled cups-2.3b8 on SuSE Linux 15 SP4.
Here are the details from the log (...):
etc/cups/cupsd.conf
15 ServerAlias *
16
17 DefaultEncryption Required
18 Encryption Required
var/log/cups/error_log:
E [04/Feb/2023:03:59:06 +0100] Unknown directive Encryption on line 18 of /usr/local/sisis-pap/cups2/etc/cups/cupsd.conf.
Why cupsd is rejecting the 'Encryption Required' line?
I [04/Feb/2023:10:29:20 +0100] Listening to 0.0.0.0:631 (IPv4)
I [04/Feb/2023:10:29:20 +0100] Listening to [v1.::]:631 (IPv6)
...
D [04/Feb/2023:10:29:20 +0100] Using keychain "/usr/local/sisis-pap/cups2/etc/cups/ssl" for server name "srap53dxr1.dev.xxxx.xxx".
When I now connect with FF to https://srap53dxr1.dev.xxxx.xxx:631/
it says in the error log:
D [04/Feb/2023:10:33:34 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy"
D [04/Feb/2023:10:33:34 +0100] [Client 1] Server address is "10.23.33.52".
D [04/Feb/2023:10:33:34 +0100] [Client 1] Accepted from 10.49.250.183:52193 (IPv4)
D [04/Feb/2023:10:33:34 +0100] [Client 1] Waiting for request.
D [04/Feb/2023:10:33:34 +0100] Report: clients=1
D [04/Feb/2023:10:33:34 +0100] Report: jobs=1
D [04/Feb/2023:10:33:34 +0100] Report: jobs-active=0
D [04/Feb/2023:10:33:34 +0100] Report: printers=1
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-string-count=571
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-alloc-bytes=6320
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-total-bytes=9832
E [04/Feb/2023:10:33:35 +0100] [Client 1] Unable to encrypt connection: A TLS fatal alert has been received.
D [04/Feb/2023:10:33:35 +0100] [Client 1] Closing connection.
What does the A TLS fatal alert means?
The same is true with: openssl s_client -connect 10.23.33.52:631
The cupsd has, as it should, created cert files:
# ls -l /usr/local/sisis-pap/cups2/etc/cups/ssl
total 8
-rw-r--r-- 1 root root 1472 Feb 4 10:33 srap53dxr1.dev.xxxx.xxx.crt
-rw-r--r-- 1 root root 1679 Feb 4 10:33 srap53dxr1.dev.xxxx.xxx.key
FF says:
srap53dxr1.dev.xxxx.xxx:631 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
# lsof -p 21361 | grep tls
cupsd 21361 root mem REG 0,46 2147728 479853 /usr/lib64/libgnutls.so.30.31.0
# strings /usr/local/sisis-pap/cups2/sbin/cupsd | grep '^CUPS v'
CUPS v2.3b8
Any hints how to nail this down?
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
More information about the cups
mailing list