From owner-freebsd-current@freebsd.org Wed Jan 16 17:34:49 2019 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE97E148F566 for ; Wed, 16 Jan 2019 17:34:48 +0000 (UTC) (envelope-from tijl@freebsd.org) Received: from mailrelay118.isp.belgacom.be (mailrelay118.isp.belgacom.be [195.238.20.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "relay.skynet.be", Issuer "GlobalSign Organization Validation CA - SHA256 - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22238770F8 for ; Wed, 16 Jan 2019 17:34:47 +0000 (UTC) (envelope-from tijl@freebsd.org) X-Belgacom-Dynamic: yes IronPort-PHdr: =?us-ascii?q?9a23=3A0fLCHx9zvKl8KP9uRHKM819IXTAuvvDOBiVQ1K?= =?us-ascii?q?B30ugcTK2v8tzYMVDF4r011RmVBdWds6oMotGVmpioYXYH75eFvSJKW713fD?= =?us-ascii?q?hBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFR?= =?us-ascii?q?XjLwp1Ifn+FpLPg8it2O2+557ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyh?= =?us-ascii?q?zHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKW?= =?us-ascii?q?E169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMNboRr4oRz?= =?us-ascii?q?ut86ZrSAfpiCgZMT457HrXgdF0gK5CvR6tuwBzz4vSbYqINvRxY7ndcMsUS2?= =?us-ascii?q?RBQMhfSi9PDYGyb4QAE+UPMv1Vr5X/qlcSsReyGRWgCP3pxzRVhnH2x6o60+?= =?us-ascii?q?E5HA/Y2Q4gG88FvWrTrNXyL6cdT+W1w7POzTXYcvhb3iv96InKchAluvyCXa?= =?us-ascii?q?hwftTPxkQyCg3LgE+cqYv/PzOaz+kAtXWQ4eRnVeKqkWEnqgdxryCzyccxko?= =?us-ascii?q?nJnZgZylfe9SV2xos+ON62SFZjbNOnEpZcrSCXOoRsTs4gQmxkojg2xqMItJ?= =?us-ascii?q?O9YSME0o4oxwTFZPyCa4WI5xXjW/uPLjpgn3Jlfa6/hw618Ui91u3wTsm030?= =?us-ascii?q?hOripCitTMtWoC1xjS6siCVPR95ECh1SyT1wDS6OFEJVo4mrbcK54m2b4/iJ?= =?us-ascii?q?8Tvl7FHi/tgkn2i7WWdko89uip7eTofKnmq4efOoJ2kA3zM6sjlta9DOk5KA?= =?us-ascii?q?QCQXaX9Oqk2L3m50L5QbFKjvMskqnetZDXPdgbpq+7Aw9RyYsj5Qy/ACm439?= =?us-ascii?q?sDhnkIMUhJeBWdj4jmI13OOuz3De+jg1Swlzdm3/7GPqf/DZrTNXfDi6ruca?= =?us-ascii?q?9h5E5B0goz185Q55RICrwaLvLzQFH+u8LDAR8iLgO42eHnCM9y1tBWZWXaSI?= =?us-ascii?q?jfeIPbq0ON7+QpaaHYY48coir4Iv4jz+HniWQlkEMBO66z0s1ERmq/G6FaxE?= =?us-ascii?q?HRSn3rmdoEGGER9l4iTe7uoHOYXDN5XFr0WLgzsGJoQLm6BJvOE9j+yIeK2z?= =?us-ascii?q?22S9gPPjhL?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2A1AAB5aT9c/99MQFdjHAEBAQQBAQc?= =?us-ascii?q?EAQGBUQcBAQsBAYFULkMjTzMnjBtfin4BAYIMNQGJY41lgXsohFECglIjNAk?= =?us-ascii?q?NAQMBAQIBAQIBbBwMQgEMAYFqKQGCZwEFOhwjEAsYCSUPKh4GE4MjggWscYk?= =?us-ascii?q?kgQ6MITWBf4ERgxKEWxCFdgKQS5FFCYciimUkgjKPWYFHglqCf5U0OIFWTTA?= =?us-ascii?q?IgycJgkiITIRjXT4DMAGDJYVBgkwBAQ?= X-IPAS-Result: =?us-ascii?q?A2A1AAB5aT9c/99MQFdjHAEBAQQBAQcEAQGBUQcBAQsBA?= =?us-ascii?q?YFULkMjTzMnjBtfin4BAYIMNQGJY41lgXsohFECglIjNAkNAQMBAQIBAQIBb?= =?us-ascii?q?BwMQgEMAYFqKQGCZwEFOhwjEAsYCSUPKh4GE4MjggWscYkkgQ6MITWBf4ERg?= =?us-ascii?q?xKEWxCFdgKQS5FFCYciimUkgjKPWYFHglqCf5U0OIFWTTAIgycJgkiITIRjX?= =?us-ascii?q?T4DMAGDJYVBgkwBAQ?= Received: from 223.76-64-87.adsl-dyn.isp.belgacom.be (HELO kalimero.tijl.coosemans.org) ([87.64.76.223]) by relay.skynet.be with ESMTP; 16 Jan 2019 18:33:38 +0100 Received: from kalimero.tijl.coosemans.org (kalimero.tijl.coosemans.org [127.0.0.1]) by kalimero.tijl.coosemans.org (8.15.2/8.15.2) with ESMTP id x0GHXbm6035402; Wed, 16 Jan 2019 18:33:37 +0100 (CET) (envelope-from tijl@FreeBSD.org) Date: Wed, 16 Jan 2019 18:33:36 +0100 From: =?UTF-8?B?VMSzbA==?= Coosemans To: "O. Hartmann" Cc: freebsd-current Subject: Re: CUPS: [Client 1] Unable to encrypt connection: An illegal parameter has been received. Message-ID: <20190116183336.6aa7bdde@kalimero.tijl.coosemans.org> In-Reply-To: <20190116152328.3edb2f74@freyja.lan101.bundesimmobilien.intern> References: <20190116152328.3edb2f74@freyja.lan101.bundesimmobilien.intern> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 22238770F8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.984,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:5432, ipnet:195.238.0.0/19, country:BE] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jan 2019 17:34:49 -0000 On Wed, 16 Jan 2019 15:23:40 +0100 "O. Hartmann" wrote: > We have an experimental IPV6 network and within this network, FreebSD CURRENT > (r343087) is acting as a CUPS print server, while a bunch FreeBSD 12-STABLE > boxes are CUPS clients. > > The setup, so far, worked with IPv4. Introducing IPv6 addresses on both server > and host results in the error > > [Client 1] Unable to encrypt connection: An illegal parameter has been received. > > In file cups/client.conf we address the appropriate printer via > > ipps://xxx.xxx.xxx.xxx/printers/printer_name (IPv4 of the CUPS server host) > > This works fine. > > But ipps://[XXXX:XXXX:XXXX::XXXX]/printers/printer_name (IPv6 of the CUPS > server host) doesn't work and results in the error on the server as shown above. > > I fiddled also around with the SSLOption parameter in client.conf and parallel, > to match requiremets, in cups/cupsd.conf of the server host - with no effect. > > On the server side, it seems that all the documents I could pick up from > cups.org or Apple do not specify any IPv6 address in an "Allow from" statement: > everything seems to be stuck with IPv4. While the cupsd.conf SSLListen option > is for IPv6 > > SSLListen [fd01:dead:beef::affe]:631 > > which works, I get an error when trying to put anything IPv6-similar with the > convention with the brackets "[" and "]" in a "Allow from" option in the > sections where I need to restrict access. An IPv6 without "[" and "]" seems to > be accepted - but when coemmnting out ANY IPv4 address and leaving only IPV6 in > the "Allow from " statement, no remote connection is allowed. > > This drives me nuts. Since the aim will be to have a printing facility within a > IPv6 only network, I feel a bit lost. > > Does anyone have had similar problems? cupsd.conf(5) does mention "Allow [ipv6-address]" in the section: DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS With client.conf you can configure libcups so it talks to a remote CUPS server instead of the local one. This has been deprecated for years so I suspect there hasn't been any development on it and that it simply doesn't support IPv6. What you're supposed to do instead is run a cupsd on the client and add the print server as a network printer (using your ipps URI). When you have to choose the make of the printer choose Raw so you don't need a PPD and cupsd will forward the job to the server without doing any filtering. You can set this up on one client and then copy the cups configuration in /usr/local/etc/cups to the other clients. Running a local cupsd allows clients to queue print jobs when the print server is down. Alternatively you can let the print server announce the printer via Bonjour/Avahi (Browsing on in cupsd.conf) and run cups-browsed from print/cups-filters on the clients which will then detect the print server and add a raw print queue automatically. This can be convenient for laptops that move between networks.