import cups-2.2.6-45.el8

SOURCES/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch

@@ -0,0 +1,55 @@
+From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 6 Apr 2022 15:04:45 +0200
+Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR
+
+The current mode for `gnutls_bye()` in client use cases strictly
+follows TLS v1.2 standard, which in this particular part says:
+
+```
+Unless some other fatal alert has been transmitted, each party is
+required to send a close_notify alert before closing the write
+side of the connection.  The other party MUST respond with a
+close_notify alert of its own and close down the connection immediately,
+discarding any pending writes.  It is not required for the initiator
+of the close to wait for the responding close_notify alert before
+closing the read side of the connection.
+```
+
+and waits for the other side of TLS connection to confirm the close.
+
+Unfortunately it can undesired for reasons:
+- we support switching of TLS versions in CUPS, and this mode strictly
+  follows TLS v1.2 - so for older version this behavior is not expected
+  and can cause delays
+- even some TLS v1.2 implementations (like Windows Server 2016) don't
+  comply TLS v1.2 behavior even if it says it does - in that case,
+  encrypted printing takes 30s till HTTP timeout is reached, because the
+  other side didn't send confirmation
+- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference,
+  so we could end up with two TLS implementations in CUPS which will
+  behave differently
+
+Since the standard defines that waiting for confirmation is not required
+and due the problems above, I would propose using GNUTLS_SHUT_WR mode
+regardless of HTTP mode.
+---
+ cups/tls-gnutls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index c55995b2b..f87b4f4df 100644
+--- a/cups/tls-gnutls.c
++++ b/cups/tls-gnutls.c
+@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http)		/* I - Connection to server */
+   int	error;				/* Error code */
+ 
+ 
+-  error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
++  error = gnutls_bye(http->tls, GNUTLS_SHUT_WR);
+   if (error != GNUTLS_E_SUCCESS)
+     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
+ 
+-- 
+2.35.1
+

SPECS/cups.spec

@@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 44%{?dist}
+Release: 45%{?dist}
 License: GPLv2+ and LGPLv2 with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@@ -129,6 +129,8 @@ Patch70: 0001-Add-with-idle-exit-timeout-configure-option.patch
 Patch71: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
 # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
 Patch72: cups-ippeve-web-support.patch
+# 2071417 - 30-second delays printing to Windows 2016 server via HTTPS
+Patch73: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
 
 Patch1000: cups-lspp.patch
 
@@ -401,6 +403,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch71 -p1 -b .timeoutstartsec
 # 2032965 - [RFE] RHEL8 - CUPS Web UI supports adding IPP Everywhere
 %patch72 -p1 -b .ippeve-web-support
+# 2071417 - 30-second delays printing to Windows 2016 server via HTTPS
+%patch73 -p1 -b .gnutlsbye
 
 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
 
@@ -820,6 +824,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz
 
 %changelog
+* Fri Apr 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-45
+- 2071417 - 30-second delays printing to Windows 2016 server via HTTPS
+
 * Wed Jan 19 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-44
 - 2015182 - RFE: Implement IdleExitTimeout configuration during build