Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto

To: undisclosed-recipients:;
Subject: Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
From: "of.the@protonmail.com" <of.the@protonmail.com>
Date: Fri, 23 Jun 2017 09:42:33 -0400
Message-id: <[🔎] xcb5MVlVfgnfKI43SKjbgffn05dhdI3rsS40nGWcD8jgHsxuBHd54S993Q49nS95ASIzcIs_FKlFS61ClCrSBR8Z7bqujZd4jEdBNT-LZJE=@protonmail.com>
Reply-to: "of.the@protonmail.com" <of.the@protonmail.com>, 865649@bugs.debian.org

Package: cups

Version: 2.2.1-8

* SHA-1 is officially deprecated for HTTPS certificates, but is still used for cups certificate generation.

* TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially vulnerable to BEAST attacks.

I suggest two resolutions to correct this, even though it is understood that default certificates are self-signed anyway.

* Generate SHA-2 signed certificates by default. This will lessenthe additional browser warnings.

* Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1 crypto. TLSv1.0 has numerous known, potential security issues with CBC / SHA-1 suites. All current web clients support TLSv1.2 and so disabling TSLv1.0 should have no negative effect for local Debian users and is likely to also have virtually no impact for remote cups users as well accessing the cups interface remotely.

Verified on Debian GNU/Linux 9

Reply to:

Prev by Date: Bug#865598: cups: CUPS server ignores SSL key and certificate setting
Next by Date: Bug#865766: printer-driver-cups-pdf: Bdependenca problem - printer-driver-cups-pdf cannot be upgraded to 3.0.1
Previous by thread: Bug#865598: cups: CUPS server ignores SSL key and certificate setting
Next by thread: Bug#865766: printer-driver-cups-pdf: Bdependenca problem - printer-driver-cups-pdf cannot be upgraded to 3.0.1
Index(es):
- Date
- Thread