Hi, All!
We're about to release a TLS/SSL-capable version of CUPS (1.1.5)
that uses OpenSSL. So far everything is working great (so far not
a single glitch I can see with 0.9.6!), but we're struggling with
one final issue...
CUPS 1.1.5 supports both dedicated TLS/SSL connections (https
scheme) as well as the HTTP Upgrade mechanism for upgrading to
TLS/SSL. Both methods work perfectly with the CUPS client apps,
but web browsers (so far) seem only to support https connections.
In the case of Netscape 4.x, it also only works on port 443 (if you
specify a port with the https: scheme then it tries to lookup the
hostname with the :port stuff tacked on...)
Are there any web browsers out there that support the HTTP Upgrade
spec to upgrade to TLS/SSL? (so far I've only had a chance to try
Netscape 4.x and MSIE 5.0 and 5.5)
We're also looking at auto-detecting the client hello message when
a client connects (if the first byte coming over the wire is 1, do
the TLS/SSL negotiation...) Given that Netscape (the most likely
browser under UNIX) doesn't support the port number notation in
https: URLS, I'm not sure if this will buy us anything, but might
allow the IPP port (631) to pull triple-duty (unencrypted,
dedicated, and upgrade connections) on systems that already have
a secure web server running on port 443.
Does anyone see any problems with this kind of auto-detection
I'm thinking more along the lines of security/reliability
problems; am I safe in assuming that OpenSSL can reject a
bad or malformed client hello message?
TIA!
--
______________________________________________________________________
Michael Sweet, Easy Software Products [EMAIL PROTECTED]
Printing Software for UNIX http://www.easysw.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
