Control: tags -1 +confirmed +upstream Control: forcemerge 865649 -1 Hi Henrich, and thank you for your bugreport, Le mercredi, 24 mai 2017, 18.26:11 h CEST Heinrich Schuchardt a écrit : > the cups webserver on port 631 supports the https protocol. > > When browsing cups using the https protocol a certificate/key pair is > created in /etc/cups/ssl. > > $ openssl x509 -in /etc/cups/ssl/hostname.crt -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1495639838 (0x5925a71E) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST = > (…) > > Using SHA-1 as signature algorithm is unsafe. > This algorithm will not be accepted in future browser versions. That's very much a problem yes, but upstream is aware of the problem. See https://github.com/apple/cups/issues/4876 for a somewhat recent discussion about this. > I have no clue why the country is set to US. That is not where my system is. > Please, remove this bogus when fixing the SHA-1 issue. http://sources.debian.net/src/cups/2.2.4-3/cups/tls-gnutls.c/#L151 is where this happens; the country code is guessed from the end of your locale setting. But all that is vain; we're talking about a self-signed certificate, which is not trusted (nor trustable nowadays) in modern browsers. Finally, from a Debian maintenance point of view, I'm not going to diverge from upstream code on crypto. Cheers, OdyX
Attachment:
signature.asc
Description: This is a digitally signed message part.