Ubuntu
cups package

cups is intolerant to TLS 1.2

Bug #1526999 reported by Laine Gholson
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

CUPS 1.7.2-0ubuntu1.7 on Ubuntu Trusty has a security problem where connections using TLS 1.2 will fail, forcing a TLS 1.1 retry

=== How to reproduce ====
1. Connect to the cups server with HTTPS
2. Check the security info

or

1. openssl s_client -connect localhost:631
2. See the error
3. openssl s_client -tls1_1 -connect localhost:631
4. See no error

TLS 1.1 is not the newest protocol version, and therefore this can be considered a security issue.

Tags: armhf trusty
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Curiously, I can't reproduce that. This is what I get:

$ openssl s_client -connect localhost:631
<snip>
SSL-Session:
    Protocol : TLSv1.2
    Cipher : AES256-SHA256
<snip>

Please attach the output of "apt-cache policy libssl1.0.0" and your /etc/cups/cupsd.conf

Thanks!

information type: Private Security → Public Security
Changed in cups (Ubuntu):
status: New → Incomplete
Revision history for this message
Laine Gholson (laine-gholson-deactivatedaccount) wrote :
Download full text (4.7 KiB)

My cupsd.conf is:
#
#
# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel notice

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing Off
BrowseLocalProtocols dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Default encryption setting...
DefaultEncryption Required

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
# AuthType Default
# Require user @SYSTEM
  Encryption Required
  Order allow,deny
  Allow @LOCAL
</Location>

# Restrict access to the admin pages...
<Location /admin>
  AuthType Default
  Require user @SYSTEM
  Encryption Required
  Order allow,deny
  Allow @LOCAL
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Encryption Required
  Order allow,deny
  Allow @LOCAL
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionP...

Read more...

Revision history for this message
Laine Gholson (laine-gholson-deactivatedaccount) wrote :

It's my OpenSSL, isn't it, because I am running a custom OpenSSL 1.0.2e with ChaCha20 support:
libssl1.0.0:
  Installed: 1.0.2e-0laine1
  Candidate: 1.0.2e-0laine1
  Version table:
 *** 1.0.2e-0laine1 0
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2.16 0
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty-security/main armhf Packages
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty-updates/main armhf Packages
     1.0.1f-1ubuntu2 0
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty/main armhf Packages

Changed in cups (Ubuntu):
status: Incomplete → Invalid
Laine Gholson (laine-gholson-deactivatedaccount)
Changed in cups (Ubuntu):
status: Invalid → New
Revision history for this message
Laine Gholson (laine-gholson-deactivatedaccount) wrote :

Aha! I think it is that for some weird reason, a SHA-384 certificate may be the cause of this problem. I changed my server certificate to SHA-1 and TLS 1.2 works again. (and CUPS uses GnuTLS, so my OpenSSL cannot be the problem)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Since you managed to get this to work, I am closing this bug. Thanks!

Changed in cups (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.