[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#865649: marked as done (cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto)



Your message dated Sun, 26 Feb 2023 13:03:45 +0000 (UTC)
with message-id <alpine.DEB.2.21.2302261301420.25296@postfach.intern.alteholz.me>
and subject line Closing this bug (BTS maintenance for debian-printing)
has caused the Debian Bug report #865649,
regarding cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
865649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865649
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: cups
Version: 2.2.1-8

* SHA-1 is officially deprecated for HTTPS certificates, but is still used for cups certificate generation.
* TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially vulnerable to BEAST attacks.

I suggest two resolutions to correct this, even though it is understood that default certificates are self-signed anyway.

* Generate SHA-2 signed certificates by default. This will lessenthe additional browser warnings.
* Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1 crypto. TLSv1.0 has numerous known, potential security issues with CBC / SHA-1 suites. All current web clients support TLSv1.2 and so disabling TSLv1.0 should have no negative effect for local Debian users and is likely to also have virtually no impact for remote cups users as well accessing the cups interface remotely.

Verified on Debian GNU/Linux 9

--- End Message ---
--- Begin Message ---
Hi,

this bug was forwarded to upstream and closed after introducing new config options. A package containing this fix was uploaded some time ago.

Thus I am manually closing this bug now.

Best regards,
Thorsten

--- End Message ---

Reply to: