Managing Encryption

CUPS supports TLS encryption in two ways:

  1. Using HTTPS (always on) as soon as a connection is established, and
  2. Using HTTP Upgrade to TLS (opportunistic) after the connection is established.

CUPS supports self-signed, CA-signed, and enterprise certificates, with configurable certificate validation, cipher suite, and SSL/TLS version policies.

Out of the box, CUPS uses a Trust On First Use ("TOFU") certificate validation policy like the popular Secure Shell (ssh) software, requires TLS/1.0 or higher, only allows secure cipher suites, and automatically creates a "self-signed" certificate and private key for the scheduler so that remote administration operations and printer sharing are encrypted by default.

Configuring Client TLS Policies

The client.conf file controls the client TLS policies. The default policy is:

AllowAnyRoot Yes
AllowExpiredCerts No
Encryption IfRequested
SSLOptions None
TrustOnFirstUse Yes
ValidateCerts No

A client can be configured to only communicate with trusted TLS/1.1+ servers and printers by copying the corresponding certificates to the client (see below) and using the following policy in the client.conf file or macOS® printing preferences:

AllowAnyRoot No
AllowExpiredCerts No
Encryption Required
SSLOptions DenyTLS1.0
TrustOnFirstUse No
ValidateCerts Yes

Similarly, if a client needs to support an older server that only supports SSL/3.0 and RC4 cipher suites you can use the following policy option:

SSLOptions AllowRC4 AllowSSL3

Configuring Server TLS Policies

One directive in the cups-files.conf file controls the server (scheduler) TLS certificate store - ServerKeychain. The default policy creates self-signed certificates as needed.

The DefaultEncryption and Encryption directives in the cupsd.conf file control whether encryption is used. The default configuration requires encryption for remote access whenever authentication is required.

Platform Differences

macOS®

On macOS, client configuration settings for ordinary users are stored in the ~/Library/Preferences/org.cups.PrintingPrefs.plist file. System-wide and user certificates are stored in the system and login keychains, with private CUPS keychains being used for self-signed and CUPS-managed certificates.

Windows®

On Windows, client configuration settings are controlled by the SSL/TLS Group Policy settings and certificate stores.

Other Platforms

Other platforms only use the client.conf file and PEM-encoded certificates (hostname.crt) and private keys (hostname.key) in the /etc/cups/ssl and ~/.cups/ssl directories. If present, the /etc/cups/ssl/site.crt file defines a site-wide CA certificate that is used to validate server and printer certificates. Certificates for known servers and printers are stored by CUPS in the corresponding ssl directory so they can be validated for subsequent connections.

CUPS also supports certificates created and managed by the popular Let's Encrypt certificate service, which are stored in the /etc/letsencrypt/live directory.