Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

Github messages for voidlinux
 help / color / mirror / Atom feed

From: jpastuszek <jpastuszek@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
Date: Tue, 18 Apr 2023 22:54:26 +0200	[thread overview]
Message-ID: <20230418205426.mUkbFkkTkXVyj3XBtpbHqdM0rf2WSX_dz8BwBNSY4tk@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-41193@inbox.vuxu.org>

[-- Attachment #1: Type: text/plain, Size: 4559 bytes --]

New comment by jpastuszek on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513782714

Comment:
After the update I could not get the certificate from CUPS:

```
$ curl https://localhost:631/ -v
*   Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to localhost:631
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer
```

```
$ openssl s_client localhost:631
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
With the change to GnuTLS it works fine:

```
$ curl https://localhost:631/ -v
*   Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
```

```
$ openssl s_client localhost:631
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify return:1
---
Certificate chain
 0 s:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
   i:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIEZD8CNDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
UzEQMA4GA1UEAxMHbW9yZ2FuYTEQMA4GA1UEChMHbW9yZ2FuYTEQMA4GA1UECxMH
VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjAeFw0y
MzA0MTgyMDQ4NTJaFw0zMzA0MTUyMDQ4NTJaMGcxCzAJBgNVBAYTAlVTMRAwDgYD
VQQDEwdtb3JnYW5hMRAwDgYDVQQKEwdtb3JnYW5hMRAwDgYDVQQLEwdVbmtub3du
MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytEwwoYJIM/5Y4DjaxNepiMoZJ3uVpZeD9ie
7TtxXf4MS0HWhwpuUGXuJQgJkCnKmprMzPZUPwQAgNs43+ukD+cFxZIuiJlEBcJy
RhSS9Kcwut9SdyjKK8TI6ts/T1FBQg6gE8fpeGPpUnwZdBey0llUTnpXTkwQoYFG
hYQxCfnSy6iOT5gUTkxji1Rm6rSINJub8bIRLEEXZNmCh2dytMDu4XHLdvOgPsP6
iVNeTlPr7RV2cpMTJnmiHHh8aq8a7stfrGEi1S9Ai79+AASEIH3AzEIaP/G/X5g0
rp3rzjTCXMzAM+z0wL5Y5qLEYHV0WUihsMWGhRajhDek/MiumwIDAQABo4GDMIGA
MAwGA1UdEwEB/wQCMAAwLAYDVR0RBCUwI4IHbW9yZ2FuYYINbW9yZ2FuYS5sb2Nh
bIIJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHQ4EFgQUU/C9Euz/SwbOkW/EMVHvvT5MCzswDQYJKoZIhvcNAQELBQAD
ggEBAIvEh2AmgKGEvAusVWy7D3OOqCGCiXiXGLkXY0QBg/fM0EefMrZ4IDAlB1kL
+gpD3j0o8NUjjUQrwMALLjQ9zdfrfoSjCpkxdaIWY+1LL/unInyRjqmX6Oxbq8H9
zH3KDZTpSgLbchKdzOB+KayYcOvnkSYl2hU7nHP82qdTOLMsiALNASWV2VbwPEhq
u9fJ62cCKZYT3gFYFkmlG13NOeHc0BURxkf4CMdA2XYNBUN+axa9StOnJW+MtCab
9W0yjytEVNTFzaNMn7oQZn0hLnaH9RQSLM+r5wcbwSnYjbjIyEXMtYwnQTqo8QYp
9mSQFOKVRC3nx0829FpIfPJyP5o=
-----END CERTIFICATE-----
subject=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown

issuer=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1536 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
```

I have rebased the PR.

next prev parent reply	other threads:[~2023-04-18 20:54 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
2022-12-19 21:07 ` [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default) jpastuszek
2022-12-19 21:09 ` jpastuszek
2022-12-20 17:47 ` cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues) CameronNemo
2022-12-20 22:01 ` [PR PATCH] [Updated] " jpastuszek
2022-12-20 22:07 ` cups: reverting to GnuTLS " jpastuszek
2023-01-16 20:02 ` Vaelatern
2023-01-16 21:19 ` CameronNemo
2023-01-16 21:21 ` CameronNemo
2023-01-17  0:17 ` Piraty
2023-01-17  6:56 ` oynqr
2023-01-17  8:14 ` oynqr
2023-01-17 12:04 ` oynqr
2023-04-18  1:51 ` github-actions
2023-04-18 17:17 ` CameronNemo
2023-04-18 20:50 ` [PR PATCH] [Updated] " jpastuszek
2023-04-18 20:54 ` jpastuszek [this message]
2023-04-19 20:37 ` [PR PATCH] [Merged]: " Piraty

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230418205426.mUkbFkkTkXVyj3XBtpbHqdM0rf2WSX_dz8BwBNSY4tk@z \
    --to=jpastuszek@users.noreply.github.com \
    --cc=ml@inbox.vuxu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).