Public bug reported:
Printing pdf files is failing on Ubuntu Pro system with fips-updates
service enabled.
By design, Ubuntu Pro’s FIPS mode intentionally disables MD5 in its
crypto modules. But it seems the default CUPS PDF pipeline (via qpdf
inside cups-filters) still uses MD5 in some paths. It appears in FIPS,
GnuTLS refuses MD5 and the filter chain aborts—so printing fails.
Canonical’s own guidance: FIPS certifies the crypto modules but requires
downstream apps to avoid disallowed algorithms—i.e., the integration
needs adjustment.
Here is a demonstration of the issue with a minimal pdf (test.pdf
attached):
>qpdf --check test.pdf
checking test.pdf
PDF Version: 1.5
File is not encrypted
File is not linearized
ERROR: gnutls: MD5 error: An algorithm that is not enabled was negotiated.
qpdf: errors detected
A recent version of qdpf does not trigger this issue:
./qpdf.AppImage --version
qpdf version 11.10.1
./qpdf.AppImage --check test.pdf
checking test.pdf
PDF Version: 1.5
File is not encrypted
File is not linearized
No syntax or stream encoding errors found; the file may still contain
errors that qpdf cannot detect
Here is what happens on an actual print attempt for test.pdf:
lp -d "Konica-Minolta-C451-Manual" test.pdf
request id is Konica-Minolta-C451-Manual-380 (1 file(s))
sudo tail -n +1 -f /var/log/cups/error_log | grep -F "[Job 380]" | grep "MD5"
E [15/Sep/2025:17:44:47 -0600] [Job 380] Exception: gnutls: MD5 error: An
algorithm that is not enabled was negotiated.
D [15/Sep/2025:17:44:47 -0600] [Job 380] Set job-printer-state-message to
"Exception: gnutls: MD5 error: An algorithm that is not enabled was
negotiated.", current level=ERROR
For now I work around this issue by converting a pdf to postscript and telling
cups-filter to do nothing (-o raw):
pdftops test.pdf - | lp -d KM-C451-raw -o raw
uname -r
5.15.0-153-fips
lsb_release -rd
Description: Ubuntu 22.04.5 LTS
Release: 22.04
apt-cache policy qpdf cups-filters libgnutls30
qpdf:
Installed: 10.6.3-1
Candidate: 10.6.3-1
Version table:
*** 10.6.3-1 500
500 http://us.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
100 /var/lib/dpkg/status
cups-filters:
Installed: 1.28.15-0ubuntu1.4
Candidate: 1.28.15-0ubuntu1.4
Version table:
*** 1.28.15-0ubuntu1.4 500
500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1.28.15-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
libgnutls30:
Installed: 3.7.3-4ubuntu1.7+Fips1
Candidate: 3.7.3-4ubuntu1.7+Fips1
Version table:
*** 3.7.3-4ubuntu1.7+Fips1 1001
1001 https://esm.ubuntu.com/fips-updates/ubuntu jammy-updates/main amd64
Packages
100 /var/lib/dpkg/status
3.7.3-4ubuntu1.7 500
500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
3.7.3-4ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
** Affects: ubuntu
Importance: Undecided
Status: New
** Attachment added: "test.pdf"
https://bugs.launchpad.net/bugs/2123888/+attachment/5909376/+files/test.pdf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2123888
Title:
Ubuntu’s FIPS-enabled integration (qpdf/cups-filters) failure printing
pdf
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2123888/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
