ErrorCode: 5 attempting to install SSL iPrint printer

  • Document ID:7010049
  • Creation Date:23-Jan-2012
  • Modified Date:30-Apr-2012
    • Micro Focus Products:
      iPrint

Environment

Novell iPrint for Linux
SUSE Linux Enterprise Server 10 with latest updates to SLES 10 SP4 - including apache2-2.2.3-16.42.2
SUSE Linux Enterprise Server 11

Situation

This issue is observed through multiple symptoms:
 
Symptom 1: Attempting to install an SSL enabled (secure) iPrint printer results in the following error:

Error message: The SSL connection encountered an I/O error.
Error group: SSL
Error code: 5

Symptom 2: Attempting to install an SSL enabled (secure) iPrint printer results in the following error:
 
HTTP 426 - Upgrade required.
 
Symptom 3: The message in the C:\NDPS\ippErrs.txt shows:

Routine: SSLConnect - failed to create SSL_connect
Error: The SSL connection encountered an I/O error.

Symptom 4: The server's /var/log/apache2/error_log shows:

TLS Upgrade handshake failed: Not accepted by client!?

Note:  In some instances, there is no error presented to the end user, however, the Apache error_log shows the above error and httpd runs in high utilization and/or segfaults.  The Apache error message shown above can result from an attempt to install an SSL iPrint printer, or by having an SSL iPrint printer already installed to the workstation.  iPrint printers installed to workstations frequently communicate to the Print Manager to determine printer status.  Each status lookup requires an SSL connection.

Resolution

Resolution: Upgrade the iPrint Client on all workstations
Upgrade the version of the iPrint client for Windows on all workstations to version 5.74 or later and version 5.04 or later for Macintosh.

  • To determine which workstations need upgrading
    1. go to the /var/log/apache2/error_log
    2. find the string: TLS Upgrade handshake failed
    3. note the IP address associated with that error.

The IP address associated with that error is the IP address of the workstation which needs an upgraded verison of the iPrint client.

Workaround: Downgrade Apache (Available for OES2SP3 and not OES11)
Downgrade the server's Apache version to a release which doesn't disable the TLS connection upgrade.
Note: While testing on this option has been minimal, it has also been positive.

a. Determine which Apache rpms need downgrading:
At the iPrint server's terminal, type:
rpm -qa | grep apache

Make note of all the Apache packages which are returned from this command. This list will be needed for step b.

b. Download the needeed Apache RPMs (note 32 bit or 64 bit)
Download only the Apache packages which are noted from step a.
c. Install the RPMs
Copying the downloaded RPMs to the same directory. Ensure other apache modules do not exist in the chosen directory. Use this command to install:
rpm -Uvh --oldpackage apache*
Note: The --force switch is needed because the apache code is being downgraded.
d. Restart Apache
rcapache2 restart
 
Alternative Issue:
A different problem, but resulting in the same workstation error, has been reported by several customers.   The solution is to disable the "Web Intelligence Service" feature found in Sophos Endpoint Security version 10.

Additional Information

This problem is present if the server is SLES11 (OES11) or one SLES10 (OES2) if the latest SLES10SP4 updates for Apache are applied.  The Apache version which ships with SLES11 and the latest Apache updates with the SLES10SP4 updates introduce this condition.  The newer Apache disables the ability for clients to upgrade an already established TLS connection.
 
Novell is interested in collecting feedback regarding the above fix and workaround.  Please email patchfeedback@novell.com with the subject of "iPrint Apache SSL issue".  Let Novell know which of the two were implemented (resolution or workaround), and the results (positive or negative).