Environment
Novell iPrint for Linux
- iPrint on OES
- iPrint Appliance
Situation
SSLv3 contains a vulnerability. To understand that vulnerability, see the following documents:
An explanation on the subject can be found here :
- Understanding POODLE
- CVE-2014-3566
The default iPrint configuration for OES and the iPrint Appliance is affected by this vulnerability.
An explanation on the subject can be found here :
- Understanding POODLE
- CVE-2014-3566
The default iPrint configuration for OES and the iPrint Appliance is affected by this vulnerability.
Resolution
Note: These steps are the same for iPrint on OES and the iPrint Appliance.iPrint Server: Configure iPrint to not be subject to the SSLv3 vulnerability.
1. Edit the /etc/opt/novell/iprint/httpd/conf/iprint_g.conf
Find the following section within the iprint_g.conf:SSLEngine Optional
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pemModify this section of the iprint_g.conf to appear as follows:Note: Depending on the version of iPrint there may be additional lines within this section of the iprint_g.conf. Those additional lines will be remarked (preceded with a #). Those remarked lines can stay in this section.SSLEngine Optional
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
2. Restart Apache
rcapache2 restartiPrint Remote Renderer
The iPrint Remote Renderer has the option to connect to the iPrint Appliance server via SSL. To protect iPrint Remote Renderer on the Windows machine in those situations, see section 'Disable SSL 3.0 in Windows' from the following Microsoft Security Advisory: 3009008.