fingerprint SSL check does not work behind a proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jockey (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
If you have a printer for which a signed binary driver is available via OpenPrinting (newer Epson inkjets) then the download of the signature key file does not work and so the driver installation does not complete.
See this mail from Olaf Meeuwissen from Avasys (they make drivers for Epson):
----------
Hi Till,
Saito-san and I have been looking at how well the automatic download
works when behind a proxy. Short story: it doesn't. The long story
follows below.
Till Kamppeter <email address hidden> writes:
> > for testing the automatic driver download on current Natty [...]
> > apply the patch attached to my previous mail [...]
> > 0001-Activated-
We upgraded Natty on 2011-03-03 and applied your patch to
system-
> > cupsctl FileDevice=yes
> > cd /usr/share/
> > python newprinter.py --setup-
> > --devid=
That's what we did. We've been looking at jockey debug logs, wireshark
network traffic captures and the jockey code trying to figure out where
things went wrong. According to the logs, the query of the OpenPrinting
DB went just fine. It's getting the fingerprint that bombs. Using wget
to fetch the fingerprint in the same environment works fine.
>From the jockey debug logs:
2011-03-03 13:04:49,904 DEBUG: Querying openprinting.org database...
2011-03-03 13:04:49,904 DEBUG: ... querying for MFG:Epson;
2011-03-03 13:04:56,203 DEBUG: OpenPrintingDri
2011-03-03 13:04:56,252 WARNING: https:/
2011-03-03 13:04:56,252 DEBUG: Ignoring driver as it does not have a valid GPG fingerprint
2011-03-03 13:04:56,253 DEBUG: openprinting.org database query finished
We've chased the WARNING statement down to the connect method of
_CertValidating
def connect(self):
sock = socket.
self.sock = ssl.wrap_
cert = self.sock.
hostname = self.host.
if not self._validate_
raise InvalidCertific
The ssl.wrap_socket raises an ssl.SSLError. What puzzles us is that
this method creates a connection to the _proxy_ rather than to the host
where the fingerprint resides. The wireshark capture for a wget went
straight to the latter host and negotiated TLSv1 with the proxy on the
fly.
We've also played with passing different ssl_version parameters to
ssl.wrap_socket but that didn't help. We're not sure whether this
method negotiates a usable version but if it doesn't that something that
probably needs fixing as well.
Hope this helps,
----------
Can this get fixed in Natty? Thanks.
Changed in jockey (Ubuntu): | |
assignee: | nobody → Martin Pitt (pitti) |
importance: | Undecided → High |
milestone: | none → ubuntu-11.04-beta-1 |
I reproduced this with squid.