[cups] SSL in cups 2.3.3op2

[Mark Dm]

Jörg Thümmler,


Ye, s that is only ONE of the things I have seen and only raises more
questions such as HOW to generate those certificates? For lack of knowing
how to generate new ones, I copied the certificates from my old CUPS
(Debain Stretch) install from the previous OS on this same Pi 3B+ which
uses the same hostname.  Also in OP you will note that there may or may not
be some entries in cupsd.conf which define the path to those files. Knowing
if they are VALID is a separate issue and no idea how I would know if they
are valid.

If they were not there and/or not valid would I still be able to see the
pages at https://localhost:631 ?

It seems a little crazy especially given all the CUPS changes and
apparently little documentation about those changes


its frustrating, Where are the docs? Now we go to :"guessware" because
there will be no docs?.


Mark

On Mon, Oct 9, 2023 at 1:56 AM Jörg Thümmler <listen at vordruckleitverlag.de>
wrote:

> Am 09.10.23 um 09:33 schrieb Mark Dm:
> > Douglas Kosovic,
> >
> > Yes I can get there https://10.0.0.250:631 and the page loads although
> it
> > says "certificate invalid"
> >
> > When I try to use the CUPS client for Android and auto detect the
> printer ,
> > I get:
> > "Clear text is no longer allowed on Android 9. Please enable SSL/TLS on
> the
> > CUPS server/printer"
> >
> > If I manually enter the IP address in the CUPS client for androids "IP or
> > Hostname field no search finds a printer.
> >
> > If I manually enter the printer URL in cups client for android with
> > "https:" it does not print and sometimes crashes android client.
> >
> > Mopria does not recognize it at all nor does the android generic printer
> > driver, and as far as I can best recall they did before.
> >
> > I have tried so many things I think I am at my wits end with this and
> > ready to just revert to my old stretch install, as the problems with CUPS
> > are many and seem insurmountable..  I wasted all of my time getting so
> much
> > other software migrated only to find that CUPS would be what hinders me.
> > That is not good when part of the core OS is what is holding you back. I
> > think it should be a strong message to CUPS devs.
> >
> > Mark
> >
> > On Sun, Oct 8, 2023 at 8:17 PM Douglas Kosovic <doug at uq.edu.au> wrote:
> >
> >> Hi Mark,
> >>
> >>> Upgraded to Bullseye on Raspberry Pi 3B+  fromStretch. Far too
> >>> many issues with CUPS 2.3.3op2.
> >>>
> >>> I need to get SSL activated so that Android 9 and up can print
> >>
> >> CUPS supports both ipp and (TLS/SSL encrypted) ipps for printing out of
> >> the box, so don't think this is the issue.
> >>
> >>> I have found several pages on the internet with the same topic,
> >>> some say you only need to add the certificates and add some
> >>> lines to cupsd.conf that point to them but that apparently
> >>> does not work . One page said they are automatically generated.
> >>
> >> You can check encryption is working with CUPS by going to the CUPS
> >> server's web interface using https instead of http, e.g. :
> >>
> >>     https://localhost:631
> >>
> >> ipp and ipps use that same port 631.
> >>
> >> (Assuming 'WebInterface Yes' is set in /etc/cups/cupsd.conf which I
> >> believe it is by default)
> >>
> >> Android and Windows uses Mopria certified printers for driverless
> >> printing, while Apple uses AirPrint.
> >>
> >> In the "What printers does my Android device support?" from the
> following
> >> Android printing FAQ :
> >> https://mopria.org/androidfaq
> >>
> >> It states "By default, your Android 8 and higher device supports all
> >> printers that are Mopria certified. Your Android device will
> automatically
> >> discover any nearby Mopria certified printer."
> >>
> >> The following page describes when Mopria compatibility was added :
> >> https://github.com/OpenPrinting/cups/pull/126
> >>
> >> So you need CUPS 2.4 or later's Mopria capability for printing with
> >> Android 8 or later (unless the Debian CUPS packages backported Mopria
> >> compatibility to earlier versions of CUPS).
> >>
> >>> Too many changes in CUPs and not enough complete documentation.
> >>> This is what gives linux a bad name. We need full and complete
> >>> documentation for each specific version of CUPS
> >>
> >> The CHANGES.md file the OpenPrinting github CUPS repository is a good
> >> place to see the changes between versions:
> >> https://github.com/openprinting/cups
> >>
> >> Going to https://localhost:631 will have docs for the specific version
> >> you are using.
> >>
> >>> I also need to know if SAMBA driver support has been removed.
> >>
> >> Microsoft has announced that they plan to drop support for print drivers
> >> and encouraging moving to driverless Mopria compliant printers that was
> >> first made possible with the release of Windows 10 21H2.
> >>
> >>
> >>
> https://learn.microsoft.com/en-us/windows-hardware/drivers/print/end-of-servicing-plan-for-third-party-printer-drivers-on-windows
> >>
> >> SAMBA doesn't support Windows type 4 print drivers (i.e. no support for
> >> the IPP Class inbox driver), only type 3 which is  prone to the fallout
> of
> >> the "PrintNightmare" critical security vulnerability that affected
> >> Microsoft Windows. Do a google search for "SAMBA PrintNightmare".
> >>
> >> If you setup a IPP Everywhere or driverless queue on CUPS 2.4 or later,
> >> Windows 10 21H2 or later should be able to find and add it without the
> need
> >> for any drivers.
> >>
> >>
> >>
> >>
> >>
> >> Cheers,
> >> Doug
> >> _______________________________________________
> >> cups mailing list
> >> cups at cups.org
> >> https://lists.cups.org/mailman/listinfo/cups
> >>
> > _______________________________________________
> > cups mailing list
> > cups at cups.org
> > https://lists.cups.org/mailman/listinfo/cups
>
> Hi,
>
> assume you have certifikates in /etc/cups/ssl ... they are named as your
> host is (<hostname>.key, <hostname>.crt) and they are valid?
>
> --
> cu
>
> jth
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups
>