Bug#865649: marked as done (cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto)

To: Thorsten Alteholz <debian@alteholz.de>

Subject: Bug#865649: marked as done (cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Sun, 26 Feb 2023 13:33:04 +0000

Message-id: <[🔎] handler.865649.D865649.16774182171847708.ackdone@bugs.debian.org>

References: <alpine.DEB.2.21.2302261301420.25296@postfach.intern.alteholz.me> <xcb5MVlVfgnfKI43SKjbgffn05dhdI3rsS40nGWcD8jgHsxuBHd54S993Q49nS95ASIzcIs_FKlFS61ClCrSBR8Z7bqujZd4jEdBNT-LZJE=@protonmail.com>

Your message dated Sun, 26 Feb 2023 13:03:45 +0000 (UTC) with message-id <alpine.DEB.2.21.2302261301420.25296@postfach.intern.alteholz.me> and subject line Closing this bug (BTS maintenance for debian-printing) has caused the Debian Bug report #865649, regarding cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 865649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865649 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: undisclosed-recipients:;
Subject: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
From: "of.the@protonmail.com" <of.the@protonmail.com>
Date: Fri, 23 Jun 2017 09:42:33 -0400
Message-id: <xcb5MVlVfgnfKI43SKjbgffn05dhdI3rsS40nGWcD8jgHsxuBHd54S993Q49nS95ASIzcIs_FKlFS61ClCrSBR8Z7bqujZd4jEdBNT-LZJE=@protonmail.com>
Reply-to: "of.the@protonmail.com" <of.the@protonmail.com>

Package: cups

Version: 2.2.1-8

* SHA-1 is officially deprecated for HTTPS certificates, but is still used for cups certificate generation.

* TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially vulnerable to BEAST attacks.

I suggest two resolutions to correct this, even though it is understood that default certificates are self-signed anyway.

* Generate SHA-2 signed certificates by default. This will lessenthe additional browser warnings.

* Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1 crypto. TLSv1.0 has numerous known, potential security issues with CBC / SHA-1 suites. All current web clients support TLSv1.2 and so disabling TSLv1.0 should have no negative effect for local Debian users and is likely to also have virtually no impact for remote cups users as well accessing the cups interface remotely.

Verified on Debian GNU/Linux 9

--- End Message ---

--- Begin Message ---

To: 865649-done@bugs.debian.org
Cc: 865649-submitter@bugs.debian.org
Subject: Closing this bug (BTS maintenance for debian-printing)
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 26 Feb 2023 13:03:45 +0000 (UTC)
Message-id: <alpine.DEB.2.21.2302261301420.25296@postfach.intern.alteholz.me>

Hi,

this bug was forwarded to upstream and closed after introducing new configoptions. A package containing this fix was uploaded some time ago.


Thus I am manually closing this bug now.

Best regards,
Thorsten

--- End Message ---

Reply to: