Re: SSLv3 and Internet Printing Protocol requirements problem
On Fri, Mar 18, 2016 at 08:31:36AM -0600, Bob Beck wrote: > > But it officially requires support for IPP version 1.0, which used > > SSLv3. > > I assume that there are printers, perhaps many were sold, which did use > > version 1.0. That version used SSLv3 for encrypted communication. Which > > is now gone. > > Almost certainly. > > > > > How should we deal with this problem? > > Here's a nickel kid - buy a better printer? > That makes sense. Any big operation is going to be replacing printers regularly due to hwavy use. Any small operation probably won't have much in the way of security needs. I don't know much about OpenSSL, "nice" to know that crap is still buildable for those "special" needs. Chris > Seriously. we just won't be conformant. These protocols are designed > by industry consortiums who want to sell product at lowest cost, not > care about security. If you seriously must have insecure stuff, > well, that's why OpenSSL still exists, you can always build with that.
Re: SSLv3 and Internet Printing Protocol requirements problem
> But it officially requires support for IPP version 1.0, which used > SSLv3. > I assume that there are printers, perhaps many were sold, which did use > version 1.0. That version used SSLv3 for encrypted communication. Which > is now gone. Almost certainly. > > How should we deal with this problem? Here's a nickel kid - buy a better printer? Seriously. we just won't be conformant. These protocols are designed by industry consortiums who want to sell product at lowest cost, not care about security. If you seriously must have insecure stuff, well, that's why OpenSSL still exists, you can always build with that.
SSLv3 and Internet Printing Protocol requirements problem
Apologies for my disappearance for a while but I have been brutally sick. Fine now. IPP is now using version 1.1 and new products also. But it officially requires support for IPP version 1.0, which used SSLv3. I assume that there are printers, perhaps many were sold, which did use version 1.0. That version used SSLv3 for encrypted communication. Which is now gone. How should we deal with this problem? Chris Bennett