[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto

Control: tags -1 +upstream
Control: forwarded -1 https://github.com/apple/cups/issues/5037
Control: tags -1 +wontfix # Not going to be a Debian-specific patch

Le vendredi, 23 juin 2017, 09.42:33 h CEST of.the@protonmail.com a écrit :
> * SHA-1 is officially deprecated for HTTPS certificates, but is still used
> for cups certificate generation.
> * TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially
> vulnerable to BEAST attacks.

Right. Please see the above link for upstream's discussion. TLSv1.0 is still 
used by plenty of printers apparently, and I don't really fancy diverging from 
upstream on crypto code.

> I suggest two resolutions to correct this, even though it is understood that
> default certificates are self-signed anyway.
> * Generate SHA-2 signed certificates by default. This will lessenthe
> additional browser warnings.

The CUPS server certificates are setup to be ssl-cert's (see symlinking code in 
cups-daemon.postinst, so that's a good suggestion for that to be fixed 
centrally in ssl-cert.

> * Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1
> crypto. TLSv1.0 has numerous known, potential security issues with CBC /
> SHA-1 suites. All current web clients support TLSv1.2 and so disabling
> TSLv1.0 should have no negative effect for local Debian users and is likely
> to also have virtually no impact for remote cups users as well accessing the
> cups interface remotely.

That's definitely not a change I'm going to carry alone. Please convince 
upstream and I'll make the Debian CUPS follow that!


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: