From: jpastuszek <jpastuszek@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
Date: Tue, 18 Apr 2023 22:54:26 +0200 [thread overview]
Message-ID: <20230418205426.mUkbFkkTkXVyj3XBtpbHqdM0rf2WSX_dz8BwBNSY4tk@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-41193@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 4559 bytes --]
New comment by jpastuszek on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513782714
Comment:
After the update I could not get the certificate from CUPS:
```
$ curl https://localhost:631/ -v
* Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to localhost:631
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer
```
```
$ openssl s_client localhost:631
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
With the change to GnuTLS it works fine:
```
$ curl https://localhost:631/ -v
* Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
```
```
$ openssl s_client localhost:631
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify return:1
---
Certificate chain
0 s:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
i:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIEZD8CNDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
UzEQMA4GA1UEAxMHbW9yZ2FuYTEQMA4GA1UEChMHbW9yZ2FuYTEQMA4GA1UECxMH
VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjAeFw0y
MzA0MTgyMDQ4NTJaFw0zMzA0MTUyMDQ4NTJaMGcxCzAJBgNVBAYTAlVTMRAwDgYD
VQQDEwdtb3JnYW5hMRAwDgYDVQQKEwdtb3JnYW5hMRAwDgYDVQQLEwdVbmtub3du
MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytEwwoYJIM/5Y4DjaxNepiMoZJ3uVpZeD9ie
7TtxXf4MS0HWhwpuUGXuJQgJkCnKmprMzPZUPwQAgNs43+ukD+cFxZIuiJlEBcJy
RhSS9Kcwut9SdyjKK8TI6ts/T1FBQg6gE8fpeGPpUnwZdBey0llUTnpXTkwQoYFG
hYQxCfnSy6iOT5gUTkxji1Rm6rSINJub8bIRLEEXZNmCh2dytMDu4XHLdvOgPsP6
iVNeTlPr7RV2cpMTJnmiHHh8aq8a7stfrGEi1S9Ai79+AASEIH3AzEIaP/G/X5g0
rp3rzjTCXMzAM+z0wL5Y5qLEYHV0WUihsMWGhRajhDek/MiumwIDAQABo4GDMIGA
MAwGA1UdEwEB/wQCMAAwLAYDVR0RBCUwI4IHbW9yZ2FuYYINbW9yZ2FuYS5sb2Nh
bIIJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHQ4EFgQUU/C9Euz/SwbOkW/EMVHvvT5MCzswDQYJKoZIhvcNAQELBQAD
ggEBAIvEh2AmgKGEvAusVWy7D3OOqCGCiXiXGLkXY0QBg/fM0EefMrZ4IDAlB1kL
+gpD3j0o8NUjjUQrwMALLjQ9zdfrfoSjCpkxdaIWY+1LL/unInyRjqmX6Oxbq8H9
zH3KDZTpSgLbchKdzOB+KayYcOvnkSYl2hU7nHP82qdTOLMsiALNASWV2VbwPEhq
u9fJ62cCKZYT3gFYFkmlG13NOeHc0BURxkf4CMdA2XYNBUN+axa9StOnJW+MtCab
9W0yjytEVNTFzaNMn7oQZn0hLnaH9RQSLM+r5wcbwSnYjbjIyEXMtYwnQTqo8QYp
9mSQFOKVRC3nx0829FpIfPJyP5o=
-----END CERTIFICATE-----
subject=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
issuer=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1536 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
```
I have rebased the PR.
next prev parent reply other threads:[~2023-04-18 20:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
2022-12-19 21:07 ` [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default) jpastuszek
2022-12-19 21:09 ` jpastuszek
2022-12-20 17:47 ` cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues) CameronNemo
2022-12-20 22:01 ` [PR PATCH] [Updated] " jpastuszek
2022-12-20 22:07 ` cups: reverting to GnuTLS " jpastuszek
2023-01-16 20:02 ` Vaelatern
2023-01-16 21:19 ` CameronNemo
2023-01-16 21:21 ` CameronNemo
2023-01-17 0:17 ` Piraty
2023-01-17 6:56 ` oynqr
2023-01-17 8:14 ` oynqr
2023-01-17 12:04 ` oynqr
2023-04-18 1:51 ` github-actions
2023-04-18 17:17 ` CameronNemo
2023-04-18 20:50 ` [PR PATCH] [Updated] " jpastuszek
2023-04-18 20:54 ` jpastuszek [this message]
2023-04-19 20:37 ` [PR PATCH] [Merged]: " Piraty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418205426.mUkbFkkTkXVyj3XBtpbHqdM0rf2WSX_dz8BwBNSY4tk@z \
--to=jpastuszek@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).