cupsd does not serve intermediate certificates with OpenSSL backend #465

chewi · 2022-08-28T22:42:07Z

I use a Let's Encrypt certificate, served from /etc/cups/ssl. It was generated via Dehydrated. I have included it below. It works fine with the GnuTLS backend. With the OpenSSL backend, browsers like Vivaldi trust it, but curl and anything else that uses the system-wide Gentoo Linux ca-certificates package do not. This is because cupsd is not serving the intermediate (or root) certificate, only the leaf. I have seen this with 2.4.2 and the latest master at 4a6dcd7. Here is the output from openssl s_client -showcerts -connect.

CONNECTED(00000003)
depth=0 CN = *.aura-online.co.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.aura-online.co.uk
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.aura-online.co.uk
verify return:1
---
Certificate chain
 0 s:CN = *.aura-online.co.uk
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIEkDCCA3igAwIBAgISA52q1vPCLWR4Dtn/4wtCIJjOMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA4MjgxNTIzMTlaFw0yMjExMjYxNTIzMThaMB4xHDAaBgNVBAMM
EyouYXVyYS1vbmxpbmUuY28udWswdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATSoD1S
B+D9TKq0PgdH4X9ap/odqKyDFnMyRtTE1xPetMz4sAEiLj7vV5NdQPaw9fssWGsC
ykth8a1S+Vkd70pBInkc2F+C8Jd6YNX4wNJ3cBTgqXn/SA5WkF0KJma/LxWjggJg
MIICXDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOHPoMAAki4QkRO0r4EYyeiQ4F1h
MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkw
RzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAC
hhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMDEGA1UdEQQqMCiCEyouYXVyYS1vbmxp
bmUuY28udWuCEWF1cmEtb25saW5lLmNvLnVrMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAb1N2rDHwMRnYmQCk
URX/dxUcEdkCwQApBo2yCJo32RMAAAGC5UPCSwAABAMARjBEAiAhSwnjzdD1s566
YAh84UoTgmZ3kgZKW7p42M+KibkQvgIgbChzGorae8/KNnf9exMKhbqN9Qemco3U
x131mK1rbiIAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAYLl
Q8HnAAAEAwBHMEUCIHqrKaPNgkUhZ9LnE5+PUCNMe4aOW9jNh+KN+Vbwg3/hAiEA
lxfcV4GTrIHbxSIIS7flgwzHOq4c2E9+e28PSRD68RgwDQYJKoZIhvcNAQELBQAD
ggEBAD4XFlOnXfYTOqNseHSvmqf+bzaoBS3xfRcVhDh5MejBPIxAb4Di//QmyKBA
LOPqWXgTQl/BAOncfhH+dldJsM7r9kcB6tKCQEvnNX+mrj61TaaSLAH+CUnurEXh
azZPJzi6+DCBlUsXlkTn3qY03HFmgcUhuezxtOy/irli9ZkgKtLrq8hXVYGDPPgV
tD2YKbN2FBtN8/OkN9oAVvYcTpq5mhku/qy2gpOkE/HG3GhyfiPW5MVlQThytlKc
qV4CvpdDzFHtPU2jiAbAsBRa8Yn4Ua7T/0l2DZAlbgA65B6zcDgMSoGtc1YZGDCG
/AXNH2ne6Lqj7qQz4NoNKej+W9w=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.aura-online.co.uk

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1644 bytes and written 420 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 4B67F582F74F9C15E80F5398306E12F0603F277523F24F3FFD813049643F91E6
    Session-ID-ctx: 
    Master-Key: F329A4432D72A8AE5513A0A7B4D8BDB1F536681CD53811B14361A0E7AF41EB1CB08A5C8EA19CAD8B23BFD79F78B4CCFC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 66 0a 26 c2 8a fa 36 cf-c7 a4 30 57 07 ec a1 d5   f.&...6...0W....
    0010 - 03 0d 02 b6 73 5f b9 0b-61 7f de 1c 6d 41 e7 6c   ....s_..a...mA.l
    0020 - e3 4e bf d5 25 7b 48 22-b5 7f 9f a3 87 b5 ac 3a   .N..%{H".......:
    0030 - 74 2c d3 7d d6 79 91 79-27 cb 4d 0c 69 6d b1 a0   t,.}.y.y'.M.im..
    0040 - cb dd 7b 25 da f5 32 6a-23 41 cd ea d7 55 a7 7c   ..{%..2j#A...U.|
    0050 - 34 7e 7b fc 4b 2f 8f e7-5d fb 19 85 f4 e2 57 a8   4~{.K/..].....W.
    0060 - cf 95 0d 85 88 3e b8 29-96 26 96 85 61 05 e0 97   .....>.).&..a...
    0070 - cf 79 ee 86 3b dd 85 8e-dc a5 13 e7 2b 26 e9 64   .y..;.......+&.d
    0080 - db a6 fc 14 e5 ad 07 8c-24 91 8f 21 4c 53 ae 0b   ........$..!LS..
    0090 - 41 82 6d f6 bb 49 83 b4-49 f3 1d 07 0c da d1 4a   A.m..I..I......J

    Start Time: 1661725708
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---
DONE

Be aware that openssl s_client will make 2.4.2 segfault, but that issue has since been fixed.

Here is the full chain. I have tried removing the root certificate (which shouldn't be needed) and removing the blank lines, but it makes no difference.

The text was updated successfully, but these errors were encountered:

michaelrsweet · 2022-08-29T11:56:38Z

Investigating - this might explain some of the server-side failures I've been seeing with ChromeOS... :/

…#465)

michaelrsweet · 2022-09-05T13:21:04Z

Turns out this was a rather simple fix, caused by reusing older code from the CUPS 1.x days that never moved on:

[master cd84d7f] The OpenSSL code path wasn't loading the full certificate chain (Issue #465)

Thanks to Chewi for pointing it out. Bug: OpenPrinting/cups#465 Signed-off-by: Sam James <sam@gentoo.org>

michaelrsweet self-assigned this Aug 29, 2022

michaelrsweet added bug Something isn't working priority-high labels Aug 29, 2022

michaelrsweet added this to the v2.4.x milestone Aug 29, 2022

michaelrsweet added a commit that referenced this issue Sep 5, 2022

The OpenSSL code path wasn't loading the full certificate chain (Issue …

cd84d7f

…#465)

michaelrsweet closed this as completed Sep 5, 2022

michaelrsweet modified the milestones: v2.4.x, v2.4.3 Sep 5, 2022

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Sep 6, 2022

net-print/cups: backpot fix for OpenSSL w/ intermediate certs

b667ed6

Thanks to Chewi for pointing it out. Bug: OpenPrinting/cups#465 Signed-off-by: Sam James <sam@gentoo.org>

negge pushed a commit to negge/gentoo that referenced this issue Sep 7, 2022

net-print/cups: backpot fix for OpenSSL w/ intermediate certs

3583e47

Thanks to Chewi for pointing it out. Bug: OpenPrinting/cups#465 Signed-off-by: Sam James <sam@gentoo.org>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cupsd does not serve intermediate certificates with OpenSSL backend #465

cupsd does not serve intermediate certificates with OpenSSL backend #465

chewi commented Aug 28, 2022

michaelrsweet commented Aug 29, 2022

michaelrsweet commented Sep 5, 2022

cupsd does not serve intermediate certificates with OpenSSL backend #465

cupsd does not serve intermediate certificates with OpenSSL backend #465

Comments

chewi commented Aug 28, 2022

michaelrsweet commented Aug 29, 2022

michaelrsweet commented Sep 5, 2022