Question

I'm trying to communicate with a CUPS print-server that has "Encryption Required" set for all its connections. This means that, when you try to establish a connection to it, it asks to upgrade the connection to TLS-encrypted one, and neither Cups4j nor Jspi seem to be able to handle it.

Is there any way to connect to such a server from a Java application (using either these libraries or others)?

No correct solution

OTHER TIPS

Your main problem is that CUPS/IPP is one of the rare protocols that use an HTTP to TLS upgrade, as described in RFC 2817. (https:// doesn't use that at all, see RFC 2818.) A consequence of that is that you'll find far less support in existing libraries for this upgrade.

In principle, upgrading a plain Socket into an SSLSocket isn't too difficult. However, since IPP relies on HTTP, it's likely that the libraries your library uses doesn't support this, since few HTTP libraries support RFC 2817.

I haven't looked at Cups4J, but Jspi clearly relies on Apache HTTP Client (probably version 3.x).

Support for RFC 2817 was discussed in 2011 on Apache HTTP Client mailing list, but it's not clear whether any of this made its way into the library. Anyway, the Jspi code is older than that, so it's fair to assume that it's not going to work.

A possible workaround:

Some IPP servers seem to support both TLS via an upgrade (RFC 2817) or via an initial connection (RFC 2818, the traditional https:// way). Perhaps yours does too. Check whether it listens to another port for TLS connections (e.g. by pointing an HTTPS client to it). (This could also be the same port if the server uses port unification.)

If this works, a quick patch to IppHttpConnection.java in Jspi should enable you to make it use https:// connections instead of http:// connections:

private static URI toHttpURI(URI uri) {
    if (uri.getScheme().equals("ipp")) {
        String uriString = uri.toString().replaceFirst("ipp", "http");

I'm not sure if ipps:// is standard, but you could use the same trick and replace ipps:// with https:// in the scheme. The rest should automatically be handled by the underlying HTTP library. (You might have to make sure your certificate is trusted too, but that's a different problem.)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top