<!doctype html>
<html>
<!-- SECTION: Getting Started -->
<head>
<title>Managing Encryption</title>
<link rel="STYLESHEET" type="text/css" href="../cups-printable.css">
</head>
<body>
<h1 class="title">Managing Encryption</h1>
<p>CUPS supports TLS encryption in two ways:</p>
<ol>
<li>Using HTTPS (always on) as soon as a connection is established, and</li>
<li>Using HTTP Upgrade to TLS (opportunistic) after the connection is established.</li>
</ol>
<p>CUPS supports self-signed, CA-signed, and enterprise certificates, with configurable certificate validation, cipher suite, and SSL/TLS version policies.</p>
<p>Out of the box, CUPS uses a Trust On First Use ("TOFU") certificate validation policy like the popular Secure Shell (ssh) software, requires TLS/1.0 or higher, only allows secure cipher suites, and automatically creates a "self-signed" certificate and private key for the scheduler so that remote administration operations and printer sharing are encrypted by default.</p>
<h2 class="title" id="CLIENT">Configuring Client TLS Policies</h2>
<p>The <a href="man-client.conf.html"><var>client.conf</var></a> file controls the client TLS policies. The default policy is:</p>
<pre class="command">
AllowAnyRoot Yes
AllowExpiredCerts No
Encryption IfRequested
SSLOptions None
TrustOnFirstUse Yes
ValidateCerts No
</pre>
<p>A client can be configured to only communicate with trusted TLS/1.1+ servers and printers by copying the corresponding certificates to the client (<a href="#PLATFORM">see below</a>) and using the following policy in the <var>client.conf</var> file or macOS<sup>®</sup> printing preferences:</p>
<pre class="command">
AllowAnyRoot No
AllowExpiredCerts No
Encryption Required
SSLOptions DenyTLS1.0
TrustOnFirstUse No
ValidateCerts Yes
</pre>
<p>Similarly, if a client needs to support an older server that only supports SSL/3.0 and RC4 cipher suites you can use the following policy option:</p>
<pre class="command">
SSLOptions AllowRC4 AllowSSL3
</pre>
<h2 class="title" id="SERVER">Configuring Server TLS Policies</h2>
<p>Two directives in the <a href="man-cups-files.conf.html"><var>cups-files.conf</var></a> file control the server (scheduler) TLS policies - <a href="man-cups-files.conf.html#CreateSelfSignedCerts"><code>CreateSelfSignedCerts</code></a> and <a href="man-cups-files.conf.html#ServerKeychain"><code>ServerKeychain</code></a>. The default policy creates self-signed certificates as needed.</p>
<p>The <a href="man-cupsd.conf.html#DefaultEncryption"><code>DefaultEncryption</code></a> and <a href="man-cupsd.conf.html#Encryption"><code>Encryption</code></a> directives in the <a href="man-cupsd.conf.html"><var>cupsd.conf</var></a> file control whether encryption is used. The default configuration requires encryption for remote access whenever authentication is required.</p>
<h2 class="title" id="PLATFORM">Platform Differences</h2>
<h3>macOS<sup>®</sup></h3>
<p>On macOS, client configuration settings for ordinary users are stored in the <var>~/Library/Preferences/org.cups.PrintingPrefs.plist</var> file. System-wide and user certificates are stored in the system and login keychains, with private CUPS keychains being used for self-signed and CUPS-managed certificates.</p>
<h3>Windows<sup>®</sup></h3>
<p>On Windows, client configuration settings are controlled by the SSL/TLS Group Policy settings and certificate stores.</p>
<h3>Other Platforms</h3>
<p>Other platforms only use the <var>client.conf</var> file and PEM-encoded certificates (<i>hostname</i>.crt) and private keys (<i>hostname</i>.key) in the <var>/etc/cups/ssl</var> and <var>~/.cups/ssl</var> directories. If present, the <var>/etc/cups/ssl/site.crt</var> file defines a site-wide CA certificate that is used to validate server and printer certificates. Certificates for known servers and printers are stored by CUPS in the corresponding <var>ssl</var> directory so they can be validated for subsequent connections.</p>
<p>CUPS also supports certificates created and managed by the popular <a href="https://letsencrypt.org/">Let's Encrypt</a> certificate service, which are stored in the <var>/etc/letsencrypt/live</var> directory.</p>
</body>
</html>
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| accounting.html | File | 2.63 KB | 0644 |
|
| admin.html | File | 11.66 KB | 0644 |
|
| api-admin.html | File | 19.99 KB | 0644 |
|
| api-filter.html | File | 61.66 KB | 0644 |
|
| api-ppd.html | File | 92.21 KB | 0644 |
|
| api-raster.html | File | 59.02 KB | 0644 |
|
| cgi.html | File | 2.58 KB | 0644 |
|
| cupspm.html | File | 370.35 KB | 0644 |
|
| encryption.html | File | 4.21 KB | 0644 |
|
| firewalls.html | File | 3.94 KB | 0644 |
|
| glossary.html | File | 2.66 KB | 0644 |
|
| kerberos.html | File | 4.21 KB | 0644 |
|
| license.html | File | 11.78 KB | 0644 |
|
| man-backend.html | File | 9.35 KB | 0644 |
|
| man-cancel.html | File | 2.56 KB | 0644 |
|
| man-classes.conf.html | File | 1.15 KB | 0644 |
|
| man-client.conf.html | File | 6.91 KB | 0644 |
|
| man-cups-config.html | File | 3.3 KB | 0644 |
|
| man-cups-files.conf.html | File | 12.26 KB | 0644 |
|
| man-cups-lpd.html | File | 4.75 KB | 0644 |
|
| man-cups-snmp.html | File | 2.72 KB | 0644 |
|
| man-cups.html | File | 7.43 KB | 0644 |
|
| man-cupsaccept.html | File | 2.48 KB | 0644 |
|
| man-cupsd-helper.html | File | 2.59 KB | 0644 |
|
| man-cupsd-logs.html | File | 9.55 KB | 0644 |
|
| man-cupsd.conf.html | File | 37.78 KB | 0644 |
|
| man-cupsd.html | File | 3.22 KB | 0644 |
|
| man-cupsenable.html | File | 2.97 KB | 0644 |
|
| man-cupstestppd.html | File | 4.83 KB | 0644 |
|
| man-filter.html | File | 11.36 KB | 0644 |
|
| man-ippevepcl.html | File | 1.88 KB | 0644 |
|
| man-ippeveprinter.html | File | 9.88 KB | 0644 |
|
| man-ippfind.html | File | 9.72 KB | 0644 |
|
| man-ipptool.html | File | 7.53 KB | 0644 |
|
| man-ipptoolfile.html | File | 27.3 KB | 0644 |
|
| man-lp.html | File | 7.32 KB | 0644 |
|
| man-lpadmin.html | File | 10.04 KB | 0644 |
|
| man-lpc.html | File | 2.11 KB | 0644 |
|
| man-lpinfo.html | File | 3.66 KB | 0644 |
|
| man-lpmove.html | File | 1.91 KB | 0644 |
|
| man-lpoptions.html | File | 3.88 KB | 0644 |
|
| man-lpq.html | File | 1.97 KB | 0644 |
|
| man-lpr.html | File | 5.93 KB | 0644 |
|
| man-lprm.html | File | 2.08 KB | 0644 |
|
| man-lpstat.html | File | 4.55 KB | 0644 |
|
| man-mime.convs.html | File | 2.59 KB | 0644 |
|
| man-mime.types.html | File | 5.47 KB | 0644 |
|
| man-notifier.html | File | 1.35 KB | 0644 |
|
| man-ppdc.html | File | 3.5 KB | 0644 |
|
| man-ppdhtml.html | File | 1.83 KB | 0644 |
|
| man-ppdi.html | File | 1.99 KB | 0644 |
|
| man-ppdmerge.html | File | 1.75 KB | 0644 |
|
| man-ppdpo.html | File | 2.09 KB | 0644 |
|
| man-printers.conf.html | File | 1.18 KB | 0644 |
|
| man-subscriptions.conf.html | File | 1.22 KB | 0644 |
|
| network.html | File | 18.56 KB | 0644 |
|
| options.html | File | 16.42 KB | 0644 |
|
| overview.html | File | 3.4 KB | 0644 |
|
| policies.html | File | 21.25 KB | 0644 |
|
| postscript-driver.html | File | 23.26 KB | 0644 |
|
| ppd-compiler.html | File | 45.13 KB | 0644 |
|
| raster-driver.html | File | 20.32 KB | 0644 |
|
| ref-ppdcfile.html | File | 69.29 KB | 0644 |
|
| security.html | File | 4.44 KB | 0644 |
|
| sharing.html | File | 4.45 KB | 0644 |
|
| spec-banner.html | File | 4.05 KB | 0644 |
|
| spec-command.html | File | 6.08 KB | 0644 |
|
| spec-design.html | File | 13.05 KB | 0644 |
|
| spec-ipp.html | File | 65.4 KB | 0644 |
|
| spec-ppd.html | File | 90.33 KB | 0644 |
|
| spec-raster.html | File | 23.34 KB | 0644 |
|
| spec-stp.html | File | 3.79 KB | 0644 |
|
| translation.html | File | 24.29 KB | 0644 |
|