[Bug 544188] New: cups https redirect doesn't match certificate
http://bugzilla.novell.com/show_bug.cgi?id=544188 Summary: cups https redirect doesn't match certificate Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 8 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: lnussel@novell.com QAContact: jsmeix@novell.com Found By: --- The autogenerated certificate of the cups web interface apparently does not contain the IP addresses of the system. However when visiting http://<hostname>:631/admin/ it redirects to https://<ipaddress>:631/admin ie the browser will complain that the certificate is for the wrong host. So cups should redirect to the host the certificate was issued for. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c1 --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2009-10-04 10:23:52 MDT --- hmm, could be due to the SSLListen directive with an IP address -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c2 --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2009-10-04 11:08:00 MDT --- Nope, same with host name -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c3 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |NEEDINFO Found By|--- |Development Info Provider| |lnussel@novell.com --- Comment #3 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 01:06:25 MDT --- I run CUPS 1.3.11 on my openSUSE 11.1 workstation with an unchanged /etc/cups/cupsd.conf (same package as for 11.2 but built for 11.1) and I use MozillaFirefox-3.0.5 as Browser. When I go to http://localhost:631/admin/ there is no redirect. I set up a new queue via the CUPS web interface and there was no redirect at all. Can you provide information how to reproduce? Please attach your /etc/cups/cupsd.conf file as MIME type text/plain. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|lnussel@novell.com | --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2009-10-06 01:22:59 MDT --- I was referring to accessing a remote cups server via the web interface. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c6 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P4 - Low Status|NEW |ASSIGNED Target Milestone|--- |Future 11.3 Severity|Normal |Minor --- Comment #6 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 01:41:25 MDT --- Ah! Now I get in my Firefox first: -------------------------------------------------------------------- 426 Upgrade Required You must access this page using the URL https://10.10.4.228:631/admin/. -------------------------------------------------------------------- which does after a few seconds an automated redirect to https://10.10.4.228:631/admin/ but this results -------------------------------------------------------------------- Secure Connection Failed <IP.of.the.server>:631 uses an invalid security certificate. The certificate is not trusted because it is self signed. The certificate is only valid for <hostname.domain> (Error code: sec_error_untrusted_issuer) [...] ... you can add an exception ... -------------------------------------------------------------------- In contrast https://<hostname.domain>:631/admin/ results only -------------------------------------------------------------------- Secure Connection Failed <hostname.domain>:631 uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer) [...] ... you can add an exception ... -------------------------------------------------------------------- which is o.k. because the autogenerated certificate can be only self signed. In both cases one must "add an exception" and after this the CUPS web interface works o.k. Therefore it is only a minor issue. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c7 --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2009-10-06 01:51:39 MDT --- self signed cerificate and certificate issued for a different host are separate things. Self signed is unavoidable if the certificate is autogenerated (I would turn off too). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c8 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |lnussel@novell.com --- Comment #8 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 03:19:00 MDT --- It works for me when I set in /etc/cups/cupsd.conf HostNameLookups On The default is Off to avoid the potential server performance problems with hostname lookups, see http://www.cups.org/documentation.php/doc-1.3/ref-cupsd-conf.html#HostNameLo... By default, i.e. when "HostNameLookups Off" the code in scheduler/client.c --------------------------------------------------------------------------- if (HostNameLookups) httpAddrLookup(&temp, con->servername, sizeof(con->servername)); else httpAddrString(&temp, con->servername, sizeof(con->servername)); --------------------------------------------------------------------------- does not do httpAddrLookup which would result the hostname but only httpAddrString which converts the IP to a numeric string which is then used for the redirect. Therefore from my point of view it works as intended and -a s far as I see - the only solution would be an autogenerated certificate which is valid both for <hostname.domain> and <IP.of.the.server>. Ludwig, do you know if it is possible to autogenerate a certificate which is valid both for <hostname.domain> and <IP.of.the.server>? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c9 --- Comment #9 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 03:22:58 MDT --- Righ now I noticed that we would need a autogenerated certificate which is valid for <hostname.domain> and <IP.of.the.server> and the plain <hostname> to match all possible cases. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c10 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|lnussel@novell.com | --- Comment #10 from Ludwig Nussel <lnussel@novell.com> 2009-10-06 03:48:42 MDT --- Yes, it is possible to add an arbitrary number of additional hostnames or ip addresses to certificate (subjAltName). However, the more I think about it the more I come to the conclusion that an autogenerated certificate just can't work this way. - there's no guarantee that the local hostname is resolvable or has a fqdn at all - /etc/HOSTNAME is likely not resolveable (linux-xyz.site) - the system is reachable via multiple names (e.g. hostname.local for zeroconf) - the system has an arbitrary, dynamic number of ip addresses (IPv4LL, IPv6LL, DHCP, dial up interfaces etc ...) It's possible to generate certificates without a CN though. The error message of the browser then at least doesn't say it's for the wrong host. Firefox says the certificate doesn't provide identity information then which is at least correct information :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c12 --- Comment #12 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 05:53:00 MDT --- A generated certificate without a CN results in Firefox: ----------------------------------------------------------------------------- Secure Connection Failed <whatever>:631 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. The certificate is not valid for any server names. (Error code: sec_error_untrusted_issuer) [...] ... you can add an exception ... ----------------------------------------------------------------------------- I do not like the "not valid for any server names" message because now it looks as if the user should never ever add an exception. In contrast a message like in comment #6 --------------------------------------------------------------------- The certificate is only valid for <hostname.domain> --------------------------------------------------------------------- provides better information for the user to decide if he may add an exception or not. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c13 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #13 from Ludwig Nussel <lnussel@novell.com> 2009-10-06 06:01:46 MDT --- Weird, the German translation sounds much friendlier: "Es wurden keine Server-Namen gefunden, für die dieses Zertifikat gültig ist." Anyways, this issue is not solvable in any satisfactory way. Closing WONTFIX. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c14 --- Comment #14 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 06:45:14 MDT --- Regardless of "wontfix", just out of curiosity: The code in scheduler/client.c generates the certificate by running the command openssl req -new -x509 -keyout /etc/cups/ssl/server.key \ -out /etc/cups/ssl/server.crt -days 3650 -nodes <infofile where infofile contains -------------------------------------------------------------- . . . ServerName . ServerName ServerAdmin -------------------------------------------------------------- to answer the openssl questions as follows (entering '.' => the field will be left blank): Country Name (2 letter code) [AU]: . State or Province Name (full name) [Some-State]: . Locality Name (eg, city) []: . Organization Name (eg, company) [Internet Widgits Pty Ltd]: ServerName Organizational Unit Name (eg, section) []: . Common Name (eg, YOUR name) []: ServerName Email Address []: ServerAdmin Ludwig, do you know if there is an easy enhancement possible here to provide at least a few "usual suspects" for the CN so that it works better at least for the usual cases <hostname.domain>, <IP.of.the.server> and plain <hostname>? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c15 --- Comment #15 from Ludwig Nussel <lnussel@novell.com> 2009-10-06 06:58:58 MDT --- That's a rather ugly way. Openssl has C API functions for creating certificates. On the command line it's possible to specify a config file that contains all values instead of running openssl interactively and piping input. In the config file there's a subjectAltName setting. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c16 --- Comment #16 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 07:04:39 MDT --- O.k. For CUPS 1.3 (i.e. for openSUSE 11.2) I leave it as is. I will look at if for CUPS 1.4 and suggest an enhancement to upstream. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544188#c17 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Platform|Other |All Resolution|WONTFIX | OS/Version|Other |SuSE Other Severity|Minor |Enhancement --- Comment #17 from Johannes Meixner <jsmeix@novell.com> 2009-10-06 07:49:39 MDT --- Reopening as possible enhancement for CUPS 1.4 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544188 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com