]>
Commit | Line | Data |
---|---|---|
b1d503b0 | 1 | ENCRYPTION - CUPS v1.1.7 - 02/21/2001 |
7428af94 | 2 | ------------------------------------- |
3 | ||
4 | This file describes the encryption support provided by CUPS. | |
5 | ||
6 | WARNING: CLIENTS CURRENTLY TRUST ALL CERTIFICATES FROM SERVERS. | |
7 | This makes the CUPS client applications vulnerable to "man in | |
8 | the middle" attacks, so we don't recommend using this to do | |
9 | remote administration over WANs at this time. | |
10 | ||
11 | Future versions of CUPS will keep track of server certificates | |
12 | and provide a callback/confirmation interface for accepting new | |
13 | certificates and warning when a certificate has changed. | |
14 | ||
15 | ||
16 | LEGAL STUFF | |
17 | ||
18 | BEFORE USING THE ENCRYPTION SUPPORT, PLEASE VERIFY THAT IT IS | |
19 | LEGAL TO DO SO IN YOUR COUNTRY. CUPS by itself doesn't include | |
20 | any encryption code, but it can link against the OpenSSL library | |
21 | which does. | |
22 | ||
23 | ||
24 | OVERVIEW OF ENCRYPTION SUPPORT IN CUPS | |
25 | ||
26 | CUPS supports SSL/2.0, SSL/3.0, and TLS/1.0 encryption using | |
27 | keys as large as 128-bits. Encryption support is provided via | |
28 | the OpenSSL library and some new hooks in the CUPS code. | |
29 | ||
30 | CUPS provides support for dedicated (https) and "upgrade" (TLS) | |
31 | encryption of sessions. The "HTTP Upgrade" method is described | |
32 | in RFC 2817; basically, the client can be secure or unsecure, | |
33 | and the client or server initiates an upgrade to a secure | |
34 | connection via some new HTTP fields and status codes. The HTTP | |
35 | Upgrade method is new and no browsers we know of support it yet. | |
36 | Stick with "https" for web browsers. | |
37 | ||
38 | The current implementation is very basic. The CUPS client | |
39 | software (lp, lpr, etc.) uses encryption as requested by the | |
1c9e0181 | 40 | user or server. |
41 | ||
42 | The user can specify the "-E" option with the printing commands | |
43 | to force encryption of the connection. Encryption can also be | |
44 | specified using the Encryption directive in the client.conf file | |
45 | or in the CUPS_ENCRYPTION environment variable: | |
7428af94 | 46 | |
47 | Never | |
48 | ||
49 | Never do encryption. | |
50 | ||
51 | Always | |
52 | ||
53 | Always do SSL/TLS encryption using the https scheme. | |
54 | ||
55 | IfRequested | |
56 | ||
57 | Upgrade to TLS encryption if the server asks for it. | |
58 | This is the default setting. | |
59 | ||
60 | Required | |
61 | ||
62 | Always upgrade to TLS encryption as soon as the | |
63 | connection is made. This is different than the "Always" | |
64 | mode above since the connection is initially unsecure | |
65 | and the client initiates the upgrade to TLS encryption. | |
1c9e0181 | 66 | (same as using the "-E" option) |
7428af94 | 67 | |
68 | These keywords are also used in the cupsd.conf file to secure | |
69 | particular locations. To secure all traffic on the server, listen | |
70 | on port 443 (https port) instead of port 631 and change the "ipp" | |
71 | service listing (or add it if you don't have one) in /etc/services | |
b1d503b0 | 72 | to 443. To provide both secure and normal methods, add a line |
73 | reading: | |
74 | ||
75 | SSLPort 443 | |
76 | ||
77 | to /etc/cups/cupsd.conf. | |
7428af94 | 78 | |
79 | ||
80 | BEFORE YOU BEGIN | |
81 | ||
82 | You'll need the OpenSSL library from: | |
83 | ||
84 | http://www.openssl.org | |
85 | ||
86 | ||
87 | CONFIGURING WITH ENCRYPTION SUPPORT | |
88 | ||
89 | Once you have the OpenSSL library installed, you'll need to | |
90 | configure CUPS to use it with the "--enable-ssl" option: | |
91 | ||
92 | ./configure --enable-ssl | |
93 | ||
94 | If the OpenSSL stuff is not in a standard location, make sure to | |
95 | define the CFLAGS, CXXFLAGS, and LDFLAGS environment variables | |
96 | with the appropriate compiler and linker options first. | |
97 | ||
98 | ||
99 | GENERATING A SERVER CERTIFICATE AND KEY | |
100 | ||
101 | The following OpenSSL command will generate a server certificate | |
102 | and key that you can play with. Since the certificate is not | |
103 | properly signed it will generate all kinds of warnings in | |
104 | Netscape and MSIE: | |
105 | ||
106 | openssl req -new -x509 -keyout /etc/cups/ssl/server.key \ | |
107 | -out /etc/cups/ssl/server.crt -days 365 -nodes | |
108 | ||
109 | chmod 600 /etc/cups/ssl/server.* | |
110 | ||
111 | The "-nodes" option prevents the certificate and key from being | |
112 | encrypted. The cupsd process runs in the background, detached | |
113 | from any input source; if you encrypt these files then cupsd | |
114 | will not be able to load them! | |
115 | ||
116 | Send all rants about non-encrypted certificate and key files to | |
117 | /dev/null. It makes sense to encrypt user files, but not for | |
118 | files used by system processes/daemons... | |
119 | ||
120 | ||
121 | REPORTING PROBLEMS | |
122 | ||
123 | If you have problems, READ THE DOCUMENTATION FIRST! If the | |
124 | documentation does not solve your problems please send an email | |
125 | to "cups-support@cups.org". Include your operating system and | |
126 | version, compiler and version, and any errors or problems you've | |
127 | run into. The "/var/log/cups/error_log" file should also be sent, | |
128 | as it often helps to determine the cause of your problem. | |
129 | ||
130 | If you are running a version of Linux, be sure to provide the | |
131 | Linux distribution you have, too. | |
132 | ||
133 | Please note that the "cups-support@cups.org" email address goes | |
134 | to the CUPS developers; they are busy people, so your email may | |
135 | go unanswered for days or weeks. In general, only general build | |
136 | or distribution problems will actually get answered - for | |
137 | end-user support see the "README.txt" for a summary of the | |
138 | resources available. |