Product: Red Hat Enterprise Linux

Component: CUPS

Summary: Inability to disable weak ciphers in CUPS configuration

Description:
Experiencing an issue with the CUPS version cups-2.2.6-60.el8_10.x86_64 on Red Hat Enterprise Linux 8.10. A recent test reported vulnerabilities related to weak ciphers being enabled for port 631. Despite attempts to disable these weak ciphers, the configuration changes do not seem to take effect.

What were you trying to do that didn't work?
Attempting to disable weak ciphers for port 631 in the CUPS configuration to comply with security best practices

What is the impact of this issue to you?
If there is any presence of weak ciphers poses a significant security risk

Please provide the package NVR for which the bug is seen:
Package : cups-2.2.6-60.el8_10.x86_64

How reproducible is this bug?
This bug is consistently reproducible.

Steps to reproduce:
Review the /etc/cups/cupsd.conf file for existing SSLOptions.
Set SSLOptions MinTLS1.2 in the cupsd.conf file to disable TLS 1.0 and 1.1.
Check the /usr/share/crypto-policies/back-ends/DEFAULT/opensslcnf.config file for cipher details.
Attempt to set MinTLS1.3 and MaxTLS1.3 in the cupsd.conf file.
Run an Nmap scan on port 631 to check the enabled ciphers.

Expected results:
We should have functionality to have Weak ciphers disabled, and only strong ciphers should be available for TLS connections on port 631.

Actual results:
After configuring SSLOptions MinTLS1.2, weak ciphers are still enabled.
Setting MinTLS1.3 results in CUPS being unable to negotiate any supported cipher suites.

1. man cupsd.conf

SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3]

1. update-crypto-policies --show
   DEFAULT

1. nmap --script ssl-enum-ciphers -p 631 localhost

   TLSv1.2:

   ciphers:

   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

   TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A

   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

   TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A

   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

1. journalctl -u cups
   Nov 08 10:15:58 rhel.example.com cupsd[95949]: [Client 59] Unable to encrypt connection: The TLS connection was non-properly terminated.
   Nov 08 10:15:58 rhel.example.com cupsd[95949]: [Client 60] Unable to encrypt connection: A packet with illegal or unsupported version was received.
   Nov 08 10:15:58 rhel.example.com cupsd[95949]: [Client 61] Unable to encrypt connection: A packet with illegal or unsupported version was received.

=========================================================
When I set MinTLS1.3 in cupsd.conf
=========================================================

$ cat /etc/cups/cupsd.conf|grep -i ssl
SSLOptions MinTLS1.3

1. nmap --script ssl-enum-ciphers -p 631 localhost
   Other addresses for localhost (not scanned): ::1
   PORT STATE SERVICE
   631/tcp open ipp

1. journalctl -u cups
   Nov 08 10:14:15 rhel.example.com cupsd[95937]: [Client 1] Unable to encrypt connection: No supported cipher suites have been found.
   Nov 08 10:14:15 rhel.example.com cupsd[95937]: [Client 2] Unable to encrypt connection: Could not negotiate a supported cipher suite

=========================================================
When I set MaxTLS1.3 in cupsd.conf
=========================================================

$ cat /etc/cups/cupsd.conf|grep -i ssl
SSLOptions MaxTLS1.3

1. journalctl -u cups
   Nov 08 10:12:49 rhel.example.com cupsd[95925]: [Client 42] Unable to encrypt connection: No supported cipher suites have been found.
   Nov 08 10:12:49 rhel.example.com cupsd[95925]: [Client 43] Unable to encrypt connection: The TLS connection was non-properly terminated.