红帽全球峰会第 2 章 Configuring TLS encryption on a CUPS server
CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).
Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose sensitive data, for example:
- Credentials of administrators when configuring CUPS by using the web interface
- Confidential data when sending print jobs over the network
Prerequisites
- CUPS is configured.
- You created a private key, and a CA issued a server certificate for it.
- If an intermediate certificate is required to validate the server certificate, append the intermediate certificate to the server certificate.
- The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.
The Canonical Name (
CN) or Subject Alternative Name (SAN) field in the certificate matches one of the following:- The fully-qualified domain name (FQDN) of the CUPS server
- An alias that the DNS resolves to the server’s IP address
- The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
- Clients trust the CA certificate.
- If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Edit the
/etc/cups/cups-files.conffile, and add the following setting to disable the automatic creation of self-signed certificates:CreateSelfSignedCerts noRemove the self-signed certificate and private key:
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.keyOptional: Display the FQDN of the server:
# hostname -f server.example.comStore the private key and server certificate in the
/etc/cups/ssl/directory, for example:# mv /root/server.key /etc/cups/ssl/server.example.com.key # mv /root/server.crt /etc/cups/ssl/server.example.com.crt重要CUPS requires that you name the private key
<fqdn>.keyand the server certificate file<fqdn>.crt. If you use an alias, you must name the files<alias>.keyand<alias>.crt.Set secure permissions on the private key that enable only the
rootuser to read this file:# chown root:root /etc/cups/ssl/server.example.com.key # chmod 600 /etc/cups/ssl/server.example.com.keyBecause certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.
Restore the SELinux context:
# restorecon -Rv /etc/cups/ssl/Optional: Display the
CNand SAN fields of the certificate:# openssl x509 -text -in /etc/cups/ssl/server.example.com.crt Certificate: Data: ... Subject: CN = server.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:server.example.com ...If the
CNor SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add theServerAliasparameter to the/etc/cups/cupsd.conffile:ServerAlias alternative_name.example.comIn this case, use the alternative name instead of the FQDN in the rest of the procedure.
By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the
/adminpage in the web interface.To enforce encryption for the entire CUPS server, add
Encryption Requiredto all<Location>directives in the/etc/cups/cupsd.conffile, for example:<Location /> ... Encryption Required </Location>Restart CUPS:
# systemctl restart cups
Verification
-
Use a browser, and access
https://<hostname>:631/admin/. This requires that your browser trusts the CA certificate. If the connection succeeds, you configured TLS encryption in CUPS correctly. -
If you configured that encryption is required for the entire server, access
http://<hostname>:631/. CUPS returns anUpgrade Requirederror in this case.
Troubleshooting
Display the
systemdjournal entries of thecupsservice:# journalctl -u cupsIf the journal contains an
Unable to encrypt connection: Error while reading fileerror after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}