Bug#865598: cups: CUPS server ignores SSL key and certificate setting

To: Drexl Johannes <johannes.drexl@ffgr.de>, 865598@bugs.debian.org
Subject: Bug#865598: cups: CUPS server ignores SSL key and certificate setting
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Sat, 26 Aug 2017 16:10:48 +0200
Message-id: <[🔎] 8219938.4FlKxOevIm@odyx.org>
Reply-to: Didier 'OdyX' Raboud <odyx@debian.org>, 865598@bugs.debian.org
In-reply-to: <149818759981.22426.11009502994114173312.reportbug@srv.ffgr.de>
References: <149818759981.22426.11009502994114173312.reportbug@srv.ffgr.de> <149818759981.22426.11009502994114173312.reportbug@srv.ffgr.de>

Control: tags -1 +upstream
Control: tags -1 +wontfix

Le vendredi, 23 juin 2017, 05.13:19 h CEST Drexl Johannes a écrit :
> I've just upgraded to Stretch and noticed CUPS won't use my certificate/key
> files any longer. It seems the options ServerCertificate and ServerKey have
> moved somewhere else (or dropped without upgrade notice), and this isn't
> really documented. CUPS now refuses to use those options alltogether,
> insisting on FQDN.key and FQDN.crt for no apparent reason whatsoever,
> generating the files as soon as one visits the web interface. The possible
> solution to this was to manually symlink the intended certificate/key to
> the hardcoded file names. While this works without (apparent) problems, I
> don't think this should be necessary nor forced upon the user.

ServerCertificate & ServerKey configuration directives' support has been dropped 
in CUPS 2.2~b1, so is replaced by ServerKeyChain (in /etc/cups/cups-files.conf) 
which indicates a keychain path (`ssl`, so `/etc/cups/ssl/` by default). The 
auto-generation is controlled by the option CreateSelfSignedCerts, that 
defaults to 'yes'.

Actually, looking at the code, it seems that : cupsSetServerCredentials(…)
is called with ServerName as second argument, without a possibility of that 
getting changed. ServerName is set as the result of gethostname().

All-in-all: 
* the cups.postinst certificate symlinking is not achieving what it wants: the 
symlinks are not used, and CUPS will generate new self-signed certificates on-
demand anyway. We should either stop the symlinking (and defer to CUPS' code) 
or fix it (put ssl-cert's back).
* I certainly agree that this migration away from ServerCertificate and 
ServerKey was suboptimally documented by upstream (and hence by Debian), but 
that's too late. :-/
* The forced certificate name is unfortunate, but of upstream' realm, and I 
don't really fancy forcefully changing that back to 'server.crt', as using the 
hostname is somewhat better, isn't it?

Looking forward to your feedback!

Cheers,
    OdyX

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Processed: Re: Bug#865598: cups: CUPS server ignores SSL key and certificate setting
Next by Date: Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
Previous by thread: Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
Next by thread: Processed: Re: Bug#865598: cups: CUPS server ignores SSL key and certificate setting
Index(es):
- Date
- Thread