From 8d35b432fb659788facf320eb48337b65c7cd098 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 8 Apr 2022 09:10:19 +0200 Subject: [PATCH] 2073266 - 30-second delays printing to Windows 2016 server via HTTPS Resolves: rhbz#2073266 --- ...s-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch | 55 +++++++++++++++++++ cups.spec | 9 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch diff --git a/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch b/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch new file mode 100644 index 0000000..67e2edc --- /dev/null +++ b/0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch @@ -0,0 +1,55 @@ +From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 6 Apr 2022 15:04:45 +0200 +Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR + +The current mode for `gnutls_bye()` in client use cases strictly +follows TLS v1.2 standard, which in this particular part says: + +``` +Unless some other fatal alert has been transmitted, each party is +required to send a close_notify alert before closing the write +side of the connection. The other party MUST respond with a +close_notify alert of its own and close down the connection immediately, +discarding any pending writes. It is not required for the initiator +of the close to wait for the responding close_notify alert before +closing the read side of the connection. +``` + +and waits for the other side of TLS connection to confirm the close. + +Unfortunately it can undesired for reasons: +- we support switching of TLS versions in CUPS, and this mode strictly + follows TLS v1.2 - so for older version this behavior is not expected + and can cause delays +- even some TLS v1.2 implementations (like Windows Server 2016) don't + comply TLS v1.2 behavior even if it says it does - in that case, + encrypted printing takes 30s till HTTP timeout is reached, because the + other side didn't send confirmation +- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference, + so we could end up with two TLS implementations in CUPS which will + behave differently + +Since the standard defines that waiting for confirmation is not required +and due the problems above, I would propose using GNUTLS_SHUT_WR mode +regardless of HTTP mode. +--- + cups/tls-gnutls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index c55995b2b..f87b4f4df 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http) /* I - Connection to server */ + int error; /* Error code */ + + +- error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); ++ error = gnutls_bye(http->tls, GNUTLS_SHUT_WR); + if (error != GNUTLS_E_SUCCESS) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0); + +-- +2.35.1 + diff --git a/cups.spec b/cups.spec index 8b0b442..66f6544 100644 --- a/cups.spec +++ b/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -97,6 +97,8 @@ Patch25: cups-fips-restrict-md5.patch # Memory leak fixes (bug #1964975) # https://github.com/OpenPrinting/cups/pull/322 Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch +# 2073266 - 30-second delays printing to Windows 2016 server via HTTPS +Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch ##### Patches removed because IMHO they aren't no longer needed @@ -325,6 +327,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch25 -p1 -b .restrict-md5 # 1964975 - Memory leak fixes %patch26 -p1 -b .memleak-fixes +# 2073266 - 30-second delays printing to Windows 2016 server via HTTPS +%patch27 -p1 -b .gnutlsbye %if %{lspp} @@ -749,6 +753,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Fri Apr 08 2022 Zdenek Dohnal - 1:2.3.3op2-14 +- 2073266 - 30-second delays printing to Windows 2016 server via HTTPS + * Thu Feb 24 2022 Richard Lescak - 1:2.3.3op2-13 - 1964975 - added fix for uninit jump into the leaks patch