[cups] SSL in cups 2.3.3op2

Douglas Kosovic doug at uq.edu.au
Tue Oct 10 20:54:27 PDT 2023 

Hi Mark,

The new Debian 12 (Bookworm) based Raspberry Pi OS might be the simplest option for you as it comes with cups 2.4.2-3+deb12u4, so will work with Android Mopria Print Service and Windows 10/11 inbox IPP driver unlike the earlier CUPS versions.

The following is a summary of the issues with the Android CUPS client. 

The Android CUPS client v1.5 was published in 2018 and is available on the Google Play Store:
  https://play.google.com/store/apps/details?id=io.github.benoitduffez.cupsprint

has commits in GitHub after the 1.5.0 tag (so after that published version) that allows clear text traffic:
  https://github.com/BenoitDuffez/AndroidCupsPrint/commits/develop

so one option is to build the latest Android CUPS client from source code and side load on the Android device.

Although the Android CUPS client v1.5 release notes claims it is able to handle self-signed certificates, there still appears to be issues according to the following:
   https://github.com/BenoitDuffez/AndroidCupsPrint/issues/157

an ugly workaround for the Google Play Store published version is described in the above link.




Cheers,
Doug

-----Original Message-----
From: Douglas Kosovic <doug at uq.edu.au> 
Sent: Wednesday, October 11, 2023 12:23 AM
To: The CUPS user discussion list. <cups at cups.org>
Subject: Re: [cups] SSL in cups 2.3.3op2

Hi Mark,

I built cups 2.4.7-1 from Debian sid and the Android Mopria Print Service is able to find the print queue as does Windows 11, but the Android Default Print Service wasn't able to. I was getting some errors when I try to print, but that is another story and still looking into it.

Going back to the original issue using the so called Android CUPS client (which I think is a bit of a misleading name as it isn't built using CUPS or any libraries from CUPS).

I wonder if the "Clear text is no longer allowed on Android 9. Please enable SSL/TLS on the CUPS server/printer" from that client means you need to you need to add "Encryption Required" to all <Location> directives in the /etc/cups/cupsd.conf file.

Anyway, that issue is described in the Android CUPS client's github issues :
https://github.com/BenoitDuffez/AndroidCupsPrint/issues/157

I'm not able to install that Android CUPS client as the Google Play store claims I don't have any compatible devices.

In regards to certificates, deleting the certificates under /etc/cups/ssl/ and restarting CUPS will regenerate new self-signed certificate, but looks like the Android CUPS client has issues with self-signed certificates. Possibly could use the Let's Encrypt certificate service, which has certificates stored in the /etc/letsencrypt/live directory



Cheers,
Doug

-----Original Message-----
From: Douglas Kosovic <doug at uq.edu.au>
Sent: Tuesday, October 10, 2023 3:20 PM
To: The CUPS user discussion list. <cups at cups.org>
Subject: Re: [cups] SSL in cups 2.3.3op2

Hi Mark,

> Upgraded to Bullseye on Raspberry Pi 3B+  from Stretch. Far too many 
> issues with CUPS 2.3.3op2.

Okay, I have CUPS 2.3.3op2-3 on a Raspberry Pi, added a print queue, then tried with Android 10, but had no success finding the print queue.

'avahi-browse --all -r' wasn't listing any mDNS advertisement for the print queue, so I added the following line to /etc/cups/cupsd.conf :

BrowseDNSSDSubTypes _cups,_universal,_print

iOS was then able to find the print queue, but still no luck with Android. The output of 'avahi-browse --all -r' doesn't have mopria-certified in the mDNS advertisement for the print queue which I suspect is the problem.

When I get home tonight, I'm thinking of doing a backport build of CUPS 2.4.7-1 from Debian Sid to see if things work. With CUPS 2.4 it definitely mDNS advertises mopria-certified for the print queues.

From the following page, I get the impression even with the default Android Print Service that they mention, it only works with printers that advertise they are mopria-certified :
  https://mopria.org/androidfaq


> If I manually enter the printer URL in cups client for android with 
> "https:" it does not print and sometimes crashes android client.

I suspect the Android CUPS client you are referring to is the following :
https://github.com/BenoitDuffez/AndroidCupsPrint
https://play.google.com/store/apps/details?id=io.github.benoitduffez.cupsprint

That Android CUPS client has nothing to do with the OpenPrinting CUPS and uses cups4j which is written in Java. I suspect the TLS/SSL certificate issues you are having are because of that client.




Cheers,
Doug


_______________________________________________
cups mailing list
cups at cups.org
https://lists.cups.org/mailman/listinfo/cups

More information about the cups mailing list