[cups] SSL in cups 2.3.3op2
Jörg Thümmler
listen at vordruckleitverlag.de
Mon Oct 9 07:18:50 PDT 2023
Am 09.10.23 um 15:20 schrieb Mark Dm:
> Jörg Thümmler,
>
>
> Ye, s that is only ONE of the things I have seen and only raises more
> questions such as HOW to generate those certificates? For lack of knowing
> how to generate new ones, I copied the certificates from my old CUPS
> (Debain Stretch) install from the previous OS on this same Pi 3B+ which
> uses the same hostname. Also in OP you will note that there may or may not
> be some entries in cupsd.conf which define the path to those files. Knowing
> if they are VALID is a separate issue and no idea how I would know if they
> are valid.
>
> If they were not there and/or not valid would I still be able to see the
> pages at https://localhost:631 ?
>
> It seems a little crazy especially given all the CUPS changes and
> apparently little documentation about those changes
>
>
> its frustrating, Where are the docs? Now we go to :"guessware" because
> there will be no docs?.
>
>
> Mark
>
> On Mon, Oct 9, 2023 at 1:56 AM Jörg Thümmler <listen at vordruckleitverlag.de>
> wrote:
>
>> Am 09.10.23 um 09:33 schrieb Mark Dm:
>>> Douglas Kosovic,
>>>
>>> Yes I can get there https://10.0.0.250:631 and the page loads although
>> it
>>> says "certificate invalid"
>>>
>>> When I try to use the CUPS client for Android and auto detect the
>> printer ,
>>> I get:
>>> "Clear text is no longer allowed on Android 9. Please enable SSL/TLS on
>> the
>>> CUPS server/printer"
>>>
>>> If I manually enter the IP address in the CUPS client for androids "IP or
>>> Hostname field no search finds a printer.
>>>
>>> If I manually enter the printer URL in cups client for android with
>>> "https:" it does not print and sometimes crashes android client.
>>>
>>> Mopria does not recognize it at all nor does the android generic printer
>>> driver, and as far as I can best recall they did before.
>>>
>>> I have tried so many things I think I am at my wits end with this and
>>> ready to just revert to my old stretch install, as the problems with CUPS
>>> are many and seem insurmountable.. I wasted all of my time getting so
>> much
>>> other software migrated only to find that CUPS would be what hinders me.
>>> That is not good when part of the core OS is what is holding you back. I
>>> think it should be a strong message to CUPS devs.
>>>
>>> Mark
>>>
>>> On Sun, Oct 8, 2023 at 8:17 PM Douglas Kosovic <doug at uq.edu.au> wrote:
>>>
>>>> Hi Mark,
>>>>
>>>>> Upgraded to Bullseye on Raspberry Pi 3B+ fromStretch. Far too
>>>>> many issues with CUPS 2.3.3op2.
>>>>>
>>>>> I need to get SSL activated so that Android 9 and up can print
>>>>
>>>> CUPS supports both ipp and (TLS/SSL encrypted) ipps for printing out of
>>>> the box, so don't think this is the issue.
>>>>
>>>>> I have found several pages on the internet with the same topic,
>>>>> some say you only need to add the certificates and add some
>>>>> lines to cupsd.conf that point to them but that apparently
>>>>> does not work . One page said they are automatically generated.
>>>>
>>>> You can check encryption is working with CUPS by going to the CUPS
>>>> server's web interface using https instead of http, e.g. :
>>>>
>>>> https://localhost:631
>>>>
>>>> ipp and ipps use that same port 631.
>>>>
>>>> (Assuming 'WebInterface Yes' is set in /etc/cups/cupsd.conf which I
>>>> believe it is by default)
>>>>
>>>> Android and Windows uses Mopria certified printers for driverless
>>>> printing, while Apple uses AirPrint.
>>>>
>>>> In the "What printers does my Android device support?" from the
>> following
>>>> Android printing FAQ :
>>>> https://mopria.org/androidfaq
>>>>
>>>> It states "By default, your Android 8 and higher device supports all
>>>> printers that are Mopria certified. Your Android device will
>> automatically
>>>> discover any nearby Mopria certified printer."
>>>>
>>>> The following page describes when Mopria compatibility was added :
>>>> https://github.com/OpenPrinting/cups/pull/126
>>>>
>>>> So you need CUPS 2.4 or later's Mopria capability for printing with
>>>> Android 8 or later (unless the Debian CUPS packages backported Mopria
>>>> compatibility to earlier versions of CUPS).
>>>>
>>>>> Too many changes in CUPs and not enough complete documentation.
>>>>> This is what gives linux a bad name. We need full and complete
>>>>> documentation for each specific version of CUPS
>>>>
>>>> The CHANGES.md file the OpenPrinting github CUPS repository is a good
>>>> place to see the changes between versions:
>>>> https://github.com/openprinting/cups
>>>>
>>>> Going to https://localhost:631 will have docs for the specific version
>>>> you are using.
>>>>
>>>>> I also need to know if SAMBA driver support has been removed.
>>>>
>>>> Microsoft has announced that they plan to drop support for print drivers
>>>> and encouraging moving to driverless Mopria compliant printers that was
>>>> first made possible with the release of Windows 10 21H2.
>>>>
>>>>
>>>>
>> https://learn.microsoft.com/en-us/windows-hardware/drivers/print/end-of-servicing-plan-for-third-party-printer-drivers-on-windows
>>>>
>>>> SAMBA doesn't support Windows type 4 print drivers (i.e. no support for
>>>> the IPP Class inbox driver), only type 3 which is prone to the fallout
>> of
>>>> the "PrintNightmare" critical security vulnerability that affected
>>>> Microsoft Windows. Do a google search for "SAMBA PrintNightmare".
>>>>
>>>> If you setup a IPP Everywhere or driverless queue on CUPS 2.4 or later,
>>>> Windows 10 21H2 or later should be able to find and add it without the
>> need
>>>> for any drivers.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Cheers,
>>>> Doug
>>>> _______________________________________________
>>>> cups mailing list
>>>> cups at cups.org
>>>> https://lists.cups.org/mailman/listinfo/cups
>>>>
>>> _______________________________________________
>>> cups mailing list
>>> cups at cups.org
>>> https://lists.cups.org/mailman/listinfo/cups
>>
>> Hi,
>>
>> assume you have certifikates in /etc/cups/ssl ... they are named as your
>> host is (<hostname>.key, <hostname>.crt) and they are valid?
>>
>> --
>> cu
>>
>> jth
>> _______________________________________________
>> cups mailing list
>> cups at cups.org
>> https://lists.cups.org/mailman/listinfo/cups
>>
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups
Doug,
neither I'm skilled in this, because only using cups on LAN I don't use
ssl here.
What I think is:
1st: seems, the cert files must have names build with the hostname as
prefix, I have linux.crt / linux.key and linux.lan.vfg.crt /
linux.lan.vfg.key (linux is hostname of my server and linux.lan.vfg its
fqdn. Maybe you must rename yours.
2nd Calling https:linux:631 gives me the security warning for using self
signed certificates too. At least in Firefox you can override it by
"advanced" ... so my certs will be invalid too, I assume.
Seems cups generates them automatically on install. You could generate
new certs using the openssl command, seeh
https://linuxconfig.org/how-to-generate-a-self-signed-ssl-certificate-on-linux
...
but they will be self-signed as well. And I think, it's that the
printing over wlan doesn't like exactly. But maybe I'm mistaken in this.
3rd Maybe you give public certificates a try: https://letsencrypt.org is
one easy way to get certificates, although you need a bit of webspace
therefor.
just my 2 ct...
--
cu
jth
More information about the cups
mailing list