[cups] cups-2.3b8: Unable to encrypt connection: A TLS fatal alert has been received

Matthias Apitz guru at unixarea.de
Sat Feb 4 02:15:04 PST 2023 

Hello,

We face a problem with an own compiled cups-2.3b8 on SuSE Linux 15 SP4.
Here are the details from the log (...):

etc/cups/cupsd.conf

 15 ServerAlias *
 16 
 17 DefaultEncryption Required
 18 Encryption Required


var/log/cups/error_log:

E [04/Feb/2023:03:59:06 +0100] Unknown directive Encryption on line 18 of /usr/local/sisis-pap/cups2/etc/cups/cupsd.conf.

Why cupsd is rejecting the 'Encryption Required' line?

I [04/Feb/2023:10:29:20 +0100] Listening to 0.0.0.0:631 (IPv4)
I [04/Feb/2023:10:29:20 +0100] Listening to [v1.::]:631 (IPv6)

...
D [04/Feb/2023:10:29:20 +0100] Using keychain "/usr/local/sisis-pap/cups2/etc/cups/ssl" for server name "srap53dxr1.dev.xxxx.xxx".


When I now connect with FF to https://srap53dxr1.dev.xxxx.xxx:631/ 
it says in the error log:

D [04/Feb/2023:10:33:34 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy"
D [04/Feb/2023:10:33:34 +0100] [Client 1] Server address is "10.23.33.52".
D [04/Feb/2023:10:33:34 +0100] [Client 1] Accepted from 10.49.250.183:52193 (IPv4)
D [04/Feb/2023:10:33:34 +0100] [Client 1] Waiting for request.
D [04/Feb/2023:10:33:34 +0100] Report: clients=1
D [04/Feb/2023:10:33:34 +0100] Report: jobs=1
D [04/Feb/2023:10:33:34 +0100] Report: jobs-active=0
D [04/Feb/2023:10:33:34 +0100] Report: printers=1
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-string-count=571
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-alloc-bytes=6320
D [04/Feb/2023:10:33:34 +0100] Report: stringpool-total-bytes=9832
E [04/Feb/2023:10:33:35 +0100] [Client 1] Unable to encrypt connection: A TLS fatal alert has been received.
D [04/Feb/2023:10:33:35 +0100] [Client 1] Closing connection.

What does the A TLS fatal alert means?

The same is true with: openssl s_client -connect 10.23.33.52:631

The cupsd has, as it should, created cert files:

# ls -l /usr/local/sisis-pap/cups2/etc/cups/ssl
total 8
-rw-r--r-- 1 root root 1472 Feb  4 10:33 srap53dxr1.dev.xxxx.xxx.crt
-rw-r--r-- 1 root root 1679 Feb  4 10:33 srap53dxr1.dev.xxxx.xxx.key

FF says:

srap53dxr1.dev.xxxx.xxx:631 uses an invalid security certificate.
 
The certificate is not trusted because it is self-signed.
 
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT


# lsof -p 21361 | grep tls
cupsd   21361 root  mem       REG               0,46  2147728  479853 /usr/lib64/libgnutls.so.30.31.0

# strings /usr/local/sisis-pap/cups2/sbin/cupsd | grep '^CUPS v'
CUPS v2.3b8

Any hints how to nail this down?

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

More information about the cups mailing list