[PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili…

[PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili…

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

There is a new pull request by jpastuszek against master on the void-packages repository

https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193

re-enabled gnutls for cups since openssl IPPS printer server is faili…
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.

A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 1000 bytes --]

From 90f1867e75e669f35fa807ae12130ce1488ee844 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] re-enabled gnutls for cups since openssl IPPS printer server
 is failing to generate self-signed certificate

---
 srcpkgs/cups/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
 # Template file for 'cups'
 pkgname=cups
 version=2.4.2
-revision=1
+revision=2
 build_style=gnu-configure
 make_install_args="BUILDROOT=${DESTDIR}"
 hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
 		--enable-libpaper --with-menudir=/usr/share/applications \
 		--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
 		--with-rcdir=no \
+		--with-tls=gnutls \
 		$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
 }
 

Re: [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

There is an updated pull request by jpastuszek against master on the void-packages repository

https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193

Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.

A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 1000 bytes --]

From 0816a6360409e45b1dc956089c343b322c8f7a6b Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] re-enabled gnutls for cups since openssl IPPS printer server
 is failing to generate self-signed certificate

---
 srcpkgs/cups/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
 # Template file for 'cups'
 pkgname=cups
 version=2.4.2
-revision=1
+revision=2
 build_style=gnu-configure
 make_install_args="BUILDROOT=${DESTDIR}"
 hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
 		--enable-libpaper --with-menudir=/usr/share/applications \
 		--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
 		--with-rcdir=no \
+		--with-tls=gnutls \
 		$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
 }
 

Re: [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

There is an updated pull request by jpastuszek against master on the void-packages repository

https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193

Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.

A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]

From bcd6bafc5788854803161b2399ab803c7a1ca4e5 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] cups: reverting to GunTLS backend

---
 srcpkgs/cups/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
 # Template file for 'cups'
 pkgname=cups
 version=2.4.2
-revision=1
+revision=2
 build_style=gnu-configure
 make_install_args="BUILDROOT=${DESTDIR}"
 hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
 		--enable-libpaper --with-menudir=/usr/share/applications \
 		--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
 		--with-rcdir=no \
+		--with-tls=gnutls \
 		$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
 }
 

Re: cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 217 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1359899129

Comment:
You seem to have wrote "GunTLS" in the commit message. Should fix that.

Re: [PR PATCH] [Updated] cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]

There is an updated pull request by jpastuszek against master on the void-packages repository

https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193

cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.

A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]

From 977fa9c92f80fbbefb4c265833751a3baef45422 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] cups: reverting to GnuTLS backend

---
 srcpkgs/cups/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
 # Template file for 'cups'
 pkgname=cups
 version=2.4.2
-revision=1
+revision=2
 build_style=gnu-configure
 make_install_args="BUILDROOT=${DESTDIR}"
 hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
 		--enable-libpaper --with-menudir=/usr/share/applications \
 		--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
 		--with-rcdir=no \
+		--with-tls=gnutls \
 		$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
 }
 

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 236 bytes --]

New comment by jpastuszek on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1360383509

Comment:
> You seem to have wrote "GunTLS" in the commit message. Should fix that.

Fixed, thanks!

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[Vaelatern]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

New comment by Vaelatern on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384498468

Comment:
Gosh.

This breaks some users I guess? I'd like a signoff from at least one other contributor, ideally someone who uses cups themselves (I just don't print).

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 362 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384562518

Comment:
GnuTLS is far from my favorite TLS implementation. Have you reported this issue upstream? Seeing as OpenSSL support was (re-)added <1 year ago (https://github.com/OpenPrinting/cups/pull/362), I assume it should work.

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384562518

Comment:
GnuTLS is far from my favorite TLS implementation. Have you reported this issue upstream? Seeing as OpenSSL support was (re-)added <1 year ago (https://github.com/OpenPrinting/cups/pull/362), I assume it should work.

See also: https://github.com/OpenPrinting/cups/issues/529

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[Piraty]

[-- Attachment #1: Type: text/plain, Size: 229 bytes --]

New comment by Piraty on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384690593

Comment:
maybe @oynqr can chime in, due to https://github.com/void-linux/void-packages/pull/33939

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[oynqr]

[-- Attachment #1: Type: text/plain, Size: 325 bytes --]

New comment by oynqr on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384914605

Comment:
Building with openssl was not intended and I really should have double checked. We are probably going to need a message about the potential breakage with openssl generated certificates.

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[oynqr]

[-- Attachment #1: Type: text/plain, Size: 420 bytes --]

New comment by oynqr on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384998872

Comment:
Just like mentioned in [this](https://github.com/void-linux/void-packages/pull/40467) PR, it's trying to use MacOS paths for certificates. I suspect [this](https://github.com/OpenPrinting/cups/blob/9b31bae0d0d0b436f5c48b737049bb0edf5f6b78/scheduler/conf.c#L607-L615) is the cause.

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[oynqr]

[-- Attachment #1: Type: text/plain, Size: 277 bytes --]

New comment by oynqr on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1385324089

Comment:
A fix has been merged upstream for the wrong paths, but OpenSSL-generated certs still get rejected by browsers even on git master builds.

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1512321671

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513534123

Comment:
If there is still the issue of the certs being rejected, then this should probably be merged (possibly after being rebased).

Re: [PR PATCH] [Updated] cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]

There is an updated pull request by jpastuszek against master on the void-packages repository

https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193

cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.

A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]

From 239e7074c9e62b37fa4eef693cf9d92909d47c2d Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 18 Apr 2023 21:27:33 +0100
Subject: [PATCH] cups: reverting to GnuTLS backend

---
 srcpkgs/cups/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0d8bc9185456..f1dc66f098d0 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
 # Template file for 'cups'
 pkgname=cups
 version=2.4.2
-revision=3
+revision=4
 build_style=gnu-configure
 make_install_args="BUILDROOT=${DESTDIR}"
 hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
 		--enable-libpaper --with-menudir=/usr/share/applications \
 		--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
 		--with-rcdir=no \
+		--with-tls=gnutls \
 		$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
 }
 

Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[jpastuszek]

[-- Attachment #1: Type: text/plain, Size: 4559 bytes --]

New comment by jpastuszek on void-packages repository

https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513782714

Comment:
After the update I could not get the certificate from CUPS:

```
$ curl https://localhost:631/ -v
*   Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to localhost:631
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer
```

```
$ openssl s_client localhost:631
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
With the change to GnuTLS it works fine:

```
$ curl https://localhost:631/ -v
*   Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
```

```
$ openssl s_client localhost:631
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify return:1
---
Certificate chain
 0 s:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
   i:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIEZD8CNDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
UzEQMA4GA1UEAxMHbW9yZ2FuYTEQMA4GA1UEChMHbW9yZ2FuYTEQMA4GA1UECxMH
VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjAeFw0y
MzA0MTgyMDQ4NTJaFw0zMzA0MTUyMDQ4NTJaMGcxCzAJBgNVBAYTAlVTMRAwDgYD
VQQDEwdtb3JnYW5hMRAwDgYDVQQKEwdtb3JnYW5hMRAwDgYDVQQLEwdVbmtub3du
MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytEwwoYJIM/5Y4DjaxNepiMoZJ3uVpZeD9ie
7TtxXf4MS0HWhwpuUGXuJQgJkCnKmprMzPZUPwQAgNs43+ukD+cFxZIuiJlEBcJy
RhSS9Kcwut9SdyjKK8TI6ts/T1FBQg6gE8fpeGPpUnwZdBey0llUTnpXTkwQoYFG
hYQxCfnSy6iOT5gUTkxji1Rm6rSINJub8bIRLEEXZNmCh2dytMDu4XHLdvOgPsP6
iVNeTlPr7RV2cpMTJnmiHHh8aq8a7stfrGEi1S9Ai79+AASEIH3AzEIaP/G/X5g0
rp3rzjTCXMzAM+z0wL5Y5qLEYHV0WUihsMWGhRajhDek/MiumwIDAQABo4GDMIGA
MAwGA1UdEwEB/wQCMAAwLAYDVR0RBCUwI4IHbW9yZ2FuYYINbW9yZ2FuYS5sb2Nh
bIIJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHQ4EFgQUU/C9Euz/SwbOkW/EMVHvvT5MCzswDQYJKoZIhvcNAQELBQAD
ggEBAIvEh2AmgKGEvAusVWy7D3OOqCGCiXiXGLkXY0QBg/fM0EefMrZ4IDAlB1kL
+gpD3j0o8NUjjUQrwMALLjQ9zdfrfoSjCpkxdaIWY+1LL/unInyRjqmX6Oxbq8H9
zH3KDZTpSgLbchKdzOB+KayYcOvnkSYl2hU7nHP82qdTOLMsiALNASWV2VbwPEhq
u9fJ62cCKZYT3gFYFkmlG13NOeHc0BURxkf4CMdA2XYNBUN+axa9StOnJW+MtCab
9W0yjytEVNTFzaNMn7oQZn0hLnaH9RQSLM+r5wcbwSnYjbjIyEXMtYwnQTqo8QYp
9mSQFOKVRC3nx0829FpIfPJyP5o=
-----END CERTIFICATE-----
subject=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown

issuer=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1536 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
```

I have rebased the PR.

Re: [PR PATCH] [Merged]: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)

[Piraty]

[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]

There's a merged pull request on the void-packages repository

cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
https://github.com/void-linux/void-packages/pull/41193

Description:
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64 (print server)

The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.

I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash. 
After this patch for client and server it all works (also tested with MacOS as a client). 

The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.