HP Jetdirect 610n HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
HP Jetdirect 610n Manual
View all HP Jetdirect 610n manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Jetdirect 610n manual content summary:
- HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 1
HP Jetdirect Products Support SSL/TLS 95 Summary ...95 Introduction HP Jetdirect introduced SSL/TLS support in early 2002 with the 615n EIO Print Server. A free firmware upgrade allowed the 610n EIO print server, shipped in 2000, the same capability. Suddenly, a few million HP Jetdirect EIO cards - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 2
. This whitepaper will discuss how SSL/TLS works when Jetdirect is operating as a client (e.g., LDAPS, IPPS). 802.1X is covered extensively in a separate whitepaper. See http://www.hp.com/go/secureprinting for the latest information regarding HP's printing and imaging products. What is SSL/TLS? SSL - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 3
IP Figure 3 - Application Changes Now, let's have a closer look at HTTPS. HTTPS Decoded In Figure 4 - HTTP Session, we bring up a normal HTTP session with an HP MFP. 3 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 4
Figure 4 - HTTP Session The URL starts with http:// and tells the browser that SSL/TLS is not required. Let's change it to https:// and hit the [Enter] key. We are now presented with the dialog in Figure 5. Figure 5 - Secure Connection Clicking "More Info", we get the dialog in Figure 6. 4 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 5
Figure 6 - More Info Notice the sentence: "This Web site provides secure communication and has a valid certificate." After reading this whitepaper, you'll know whether that sentence is correct or not. Now that we have read the "More Info" text, let's go back to the dialog in Figure 5 and click "OK". - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 6
us! Let's click "Yes" and establish the HTTPS session with the MFP. Figure 8 - HTTPS Session We have now "secured" our web browser session with the HP MFP. How can we tell? Well, we can look at the URL and see https://, but we can also look at the bottom right of - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 7
Figure 9 - Lock Icon The mouse pointer was placed on the lock icon. Notice the "SSL Secured (128 bit)" shown in the bottom right. If we double-click on the lock icon, we get a dialog box similar to the one in Figure 10 - Certificate Details. 7 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 8
a 128 bit SSL secured session with the HP MFP but we now have a big red X indicating a trust problem. This problem is best explained through an example. Let's and put in your card and punch in your PIN#. The ATM returns the message: "Temporarily out of service" and gives you your card back. You then - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 9
" without realizing what they are doing (as we did before) and then provide the unethical hacker with a lot of information - like their credit card number and billing address. After all, it really seems like just an annoying dialog. Luckily, the Internet Explorer 7 (IE7) experience is different in - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 10
Figure 12 - IE7 Certificate Error 1 This screen is a lot different from IE6 - notice the red X symbols and explanatory text. The way the information is now presented, it will grab your attention. If we click the "Continue to this website (not recommended)" link, we get this screen shown in Figure 13 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 11
license issued by an institution other than the DMV as being valid. In short, the DMV is a trusted third party that issues "certificates" (driver's licenses) to individuals. These "certificates", issued by the DMV, are trusted by the Highway Patrol. Essentially, the Highway Patrol, the DMV, and the - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 12
certificate "HP Jetdirect 85C1F319", is not trusted. Because the "Issued by:" name is the same as the "Issued to:" name, this is a self-signed certificate. The Security Alert dialog is troubling because it is indicative of a trust problem. In the terms of our analogy, it would be like a driver, who - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 13
known as symmetric cryptography. Symmetric cryptography commonly has two attributes associated with it: • It performs well - it is fast and easy to implement • It has a key distribution problem - how do you get the symmetric key to everyone that needs it in a secure way? Asymmetric cryptography is - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 14
associated with asymmetric cryptography • It is slow • It has a trust problem. How do I know that this is John's public key and not someone pretending to be John? To solve the first problem, asymmetric cryptography is usually used to securely distribute symmetric keys and sign - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 15
• A hash - also known as a message digest. A hash is the output of a one way function that attempts to ensure the integrity of the message (i.e., that the message has not been altered). It is usually combined with authentication information to ensure that the message originator can be authenticated - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 16
Jack's private key, which no one should know but Jack, John can be sure that Jack was the one that sent it. We still have a problem - How does John know that Jack's public key really belongs to the person that he knows as "Jack"? There are many people in the world - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 17
Jack Create Key Pair Jack's Public Key Jack's Private Key Identity Info + CA's Public Key Jack Jack's Private Key (Stays Private) Jack's Public Key Certificate Request Certificate Authority CA's Private Key (Also performs Identity Verification on Jack) Identity Info + CA Info + Jack's - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 18
has a public key certificate that identifies itself. This certificate is signed with its own private key and is a "self-signed" certificate. As you may remember, Jetdirect also creates a self-signed certificate. What is the difference between a certificate authority's selfsigned certificate and - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 19
one other important thing to cover about certificates. Each certificate has a one or more "certificate purposes" that the certificate can be used for. For example, a Jetdirect self-signed certificate will have two purposes: client authentication and server authentication. A root certificate 19 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 20
a given state. Because a driver's license also lists the date install a CA certificate of their own choosing into your trusted certificate store, you will be in for a lot of problems talk about common situations with HP Jetdirect and "normal" SSL/ and a Server. Unlike a protocol like IPsec where each - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 21
place. The TCP connection was initiated by the client. Once we have this reliability, the client now sends the SSL Client Hello message to the server. This message has a random number and a list of cipher suites the client supports. Now it is the server's turn in Figure 24 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 22
Figure 24 - Server Hello The server responds with a Server Hello message which includes another random number and the server selected cipher. It also sends back its public key certificate along with a message indicating that it is done with this part of the handshake. Now, - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 23
are a lot of checks against the certificate. If any of these checks fail, there is a good chance the client is not talking to the "real" server. Assuming that everything is fine, the client still has more work to do. It needs to come up with some keying material. 23 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 24
is called a "pre_master_secret" using the random numbers as well as a function called the key derivation function. This is encrypted with the server's public key. Only a server with knowledge of the private key would be able to decrypt it. The ability to decrypt the pre_master_secret proves that the - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 25
Figure 27 - Client Finished The client goes ahead and sends over the encrypted pre_master_secret and let's the server know that it is changing over to use the master_secret and proves that it knows the master secret by providing a cryptographic hash of all data sent over to the server. 25 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 26
Spec Finished Figure 28 - Server Finished The server sent over to the client. Once the client and server both verify the cryptographic hashes, the handshake process is done /TLS works in its most popular form: HTTPS. Using HTTPS with HP Jetdirect Before we begin, we need a little info on the setup. - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 27
Figure 29 - CA Heirarchy The network is really simple and is composed of these CAs, a DNS server, a client, and an HP LaserJet MFP. Refer to Figure 30 - Network Diagram. 27 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 28
an SSL server. In order to get SSL working properly, we are going to need to assign a certificate to the 4345MFP so that it can verify its identity correctly and pass all those checks that the client has to do. We'll use regular HTTP and go to the Jetdirect page where - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 29
on the client) may be all that is needed for security. We can take a look at this certificate by pressing "View..." under the heading "Jetdirect Certificate" The subject and issuer names are the same - that is the first clue that it is a self-signed certificate. Because the selfsigned is generated - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 30
We see the RSA public key is 1024 bits for the selfsigned certificate and that the certificate can be used for client and server authentication. We also see that the certificate has a signature - which means it has been signed (by itself in this case). Click OK and go back to the main screen. 30 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 31
Under the heading "Jetdirect Certificate", press "Configure..." 31 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 32
be entered, generate a certificate request with the public that can be given to a CA. Jetdirect does not reveal the private key. Press "Next ->" Here we enter details to properly identify the Jetdirect device. Each customer will have different values here. After entering in the values, press "Next - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 33
Here is the certificate request. We are going to want to store it. We can cut/paste it or click "Save". Click "Save As" 33 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 34
Store it in a directory on the client. Now we are going to bring up R2's CA web server. 34 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 35
Enter the credentials that will allow a certificate to be issued. And here is the R2's CA web server. Let's click the link "Request a Certificate" 35 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 36
Click "advanced certificate request" Select the second link "Submit a certificate request...." 36 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 37
box provided. We select a certificate template. This template is basically a "cookie cutter" for how to create a specific type of certificate. We have a template called "jetdirect" which has already been created. The only thing it really specifies is that the certificate can be used for Client and - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 38
Save it. Bring up the certificate wizard on Jetdirect again by pressing "Configure..." 38 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 39
Now we select "Install Certificate" and click "Next" Point it to the file obtained from the R2 CA. Click "Finish" 39 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 40
Cool - it worked. Click "OK" Now - let's view the contents of this certificate. We can see that the issuer is R2. We also see the Subject CN. This name will be important later on. 40 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 41
and Web Client authentication. Let's use HTTPS. Everything should be fine right? Wrong! The client has failed its server certificate checks. Why? It says that the Security Certificate was not issued by a trusted certificate authority. The browser's certificate store must not know about our - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 42
Click "Download a CA certificate, certificate chain, or CRL". Select "Download CA Certificate Chain". This file will have both R2 and RootCA's public key certificate. 42 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 43
Save it. Go to "Tools" and click "Internet Options". 43 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 44
Click "Certificates" 44 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 45
Click "Import..." Click "Next" 45 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 46
Select the file Click "Next" 46 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 47
Select "Automatically select the certificate store...." Click "Next" Click "Finish" 47 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 48
Press "Yes". Note the Security Warning message. Installing a CA public key certificate as a trusted Root CA is a big deal. You need to be very sure this is what you want to do. Click "OK" 48 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 49
Select the tab "Intermediate Certification Authorities" and we can see that R2's public key certificate has been installed. Yea! Click the tab "Trusted Root Certification Authorities" and we see RootCA has been installed. Yea! 49 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 50
Now we go back to the web page and still get an error!! No!! The problem is that we have a name mismatch. We are using the IP address in the to use the name that the certificate has. Time to create a DNS entry for the printer. Here is our DNS entry which matches the Subject CN in the certificate. 50 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 51
We ping it just to be sure. Looks good. We go back to the web browser and enter the name instead of the IP address. 51 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 52
Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience. A Detailed Look at the SSL/TLS Connection Good stuff so far! Let's bring up - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 53
We see the TCP connection is established to "https" or TCP port 443. The client is 192.168.0.25 and the web server is 192.168.0.20. We see the SSL "Client Hello" message. Notice the detail. TLSv1 "Record Layer" and "Handshake Protocol". Based upon our previous discussion, - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 54
's look at the server hello. Here we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the server's certificate. We can tell from the common name that it is the one we just assigned Jetdirect previously. This packet also contains the "Server Hello Done - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 55
Here the client is sending over the pre_master_secret encrypted with the server's public key. It is also letting the server know it is changing keys to the ones derived from the master_secret Same info coming from the server this time. 55 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 56
Now we have actual client data - this is probably the initial HTTP request encapsulated in SSL/TLS. There was one check that wasn't done - the CRL. This check wasn't done because it is disabled by default. Going into the "Internet Options" under the Tools menu for IE7, we then click the Advanced tab - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 57
Check for server certificate revocation is not selected. 57 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 58
Let's select it and restart IE7. Here is another HTTPS connection to the same LJ4345MFP. Everything looks the same so far 58 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 59
Here we go - looks like before any application data is sent, the CRL is check using http. This one is going to the RootCA Another CRL request to R2. 59 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 60
CRL - encrypted of course. A performance hit would occur when CRLs are checked. That is probably why it isn't checked by default. SSL/TLS Server Settings HP Jetdirect has a couple of useful settings to control how SSL/TLS clients connect to it. Let's have a look. There are three main settings for - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 61
that Jetdirect supports can be used including ciphers that aren't considered as secure anymore. If the client can only support DES, Jetdirect HP Jetdirect acts as an SSL/TLS server. But wait, there's more! HP Jetdirect can also act as an SSL/TLS client when used by certain applications on a printer - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 62
We are going to select Simple over SSL as the LDAP server bind method and use the IP address of 192.168.0.1, which is our LDAP server. We then scroll to the bottom and hit the "Test" button (not shown). We are asked for credentials and we provide them and hit OK. 62 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 63
Error message - it didn't work. Let's look at a trace. Here we see Jetdirect taking on the role of the client. It initiates the connection and sends the Client Hello. 63 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 64
we haven't talked about. The Certificate Request. The server is indicating to Jetdirect that it must send it certificate to the server to be validated. We are in good shape because Jetdirect already stored a certificate capable of doing Client and Server authentication. That is a good thing! Here we - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 65
Because we have already stored the CA certificates in our browser's certificate store, we'll just export one and put it on Jetdirect. Let's take a look at it. 65 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 66
Select R2 and hit "Export..." Click Next 66 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 67
Select DER. Click Next. Save it. 67 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 68
Save it. Click "Finish" 68 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 69
Under the heading "CA Certificate", click "Configure" Select Install and click "Next" 69 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 70
Select the file. Click Finish Click OK. 70 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 71
The status for the CA Certificate is now "Installed" We try again and it still fails! 71 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 72
Same message. What did we do wrong? 72 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 73
We need the ROOT CA. Jetdirect cannot use Intermediate CAs. Back to the certificate store and now let's export RootCA's public key certificate. Install it. 73 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 74
Try again. Another failure! Let's check the trace. Here we get a "Certificate Unknown" message. Well, it could be we are using the IP address rather than the name. Let's check that. 74 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 75
We use the DNS name and try again. Success!! 75 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 76
has a SubjectAltName with a dnsName identifier. Remember that the server wanted Jetdirect's certificate too. It sent us a "Certificate Request" and we sent back our Certificate just like we would do if we were a server. Now the server has to perform the appropriate certificate validity checks. 76 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 77
certificates on its flash file system. What Jetdirect needs to do is "Walk the Certificate Chain". Let's explain by reviewing our CA Hierarchy. Figure 31 - CA the dirty work of issuing certificates to various entities in the customer's network. The Root CA is then shutdown and locked up in a secure - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 78
Figure 32 Notice that R2's certificate is issued by RootCA. What does RootCA's certificate look like? Let's look at Figure 33. 78 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 79
-signed". All Root CAs will be self-signed - these CAs represent the single point of trust. A logical question would be: "Which CA do I configure on Jetdirect?" Let's look at some diagrams. First, we have an incorrect configuration, as shown in Figure 34 - Incorrect - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 80
INCORRECT! LJ 4345MFP Info + hpprinter's Public Key R2's Digital Signature LJ 4345MFP's Identity Certificate Figure 34 - Incorrect HP Jetdirect CA Configuration. The Subordinate CA cannot be used as the CA certificate on Jetdirect! Now we can look at a correct configuration in Figure 35 - Correct - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 81
Digital Signature LJ 4345MFP's Identity Certificate Figure 35 - Correct HP Jetdirect CA Configuration Be sure the Root CA of your CA public key certificate configured on Jetdirect! Here is a question for you: When Jetdirect is acting as a client and receives the server's certificate signed by R2, - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 82
- the RootCA public key certificate. During the SSL/TLS handshake with the LDAP server, two certificates are sent back to Jetdirect. One is the LDAP Server's certificate and the other is the public key certificate for R2. Jetdirect stores them in its volatile memory and can begin to "walk the chain - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 83
space for certificates - like HP Jetdirect. SSL/TLS Client: Certificates and Name Verification You may remember that having "https://192.168.0.20" in the URL of the browser resulted in Internet Explorer 7 reporting a certificate problem but that "https://NPIC1F319.example.internal" ended up with - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 84
Name. Here we can see why the browser URL of "https://192.168.0.20" would fail to pass the certificate check but "https://NPIC1F319.example.internal" would not fail. This interesting fact comes as a surprise to most people - the IP address is not usually part of the certificate (Note: IP addresses - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 85
the IP address of 192.168.0.1 and it failed. When we switched to w2003.example.internal, it passed. We can now see why. A name check was done between the FQDN specified for the LDAP server and the SubjectAlternativeName of a type of dNSName whose syntax is very well known. The SubjectAlternativeName - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 86
internal => 192.168.0.1 + TCP 636 => LDAPS certificate That was easy, right? Well, things get more complicated due to a few factors: • Server Farms - having multiple servers (if the CA supports issuing certificates in this form). For example, you can see how Jetdirect populates the organizational unit: - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 87
is the FQDN of Jetdirect but there is additional information provided in the Organizational Units (OU). This same approach could be used for server farms where there With Virtual Hosting, you have the opposite problem: Many names but only one IP address. This causes a lot of grief, - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 88
• RFC2817 allows HTTP to be upgraded to use TLS which would also solve this problem because it allows for HTTP to specify the server name of interest first and then upgrade to run HTTP over TLS. An interesting idea but support doesn't seem to be there for this feature in actual customer deployments - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 89
/TLS can also be used to protect printing. HP Jetdirect supports IPP over TLS (henceforth, IPPS), but does not support any client authentication to control printing. Therefore, only server side authentication using the digital certificate can be done. Using the same Jetdirect we've been using so for - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 90
Click "Next" Select "A network printer..." 90 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 91
Specify a URL of HTTPS and be sure to end it with a "/ipp" so Jetdirect knows what it is for. Select the appropriate driver. 91 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 92
Click "Finish" Now we have a printer. Right Click and select properties. 92 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 93
Print a test page. Yep - we have our print data protected by SSL/TLS. 93 - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 94
SSL/TLS. Here are some guidelines for issuing digital certificates to an HP Jetdirect: • There is only one Identity certificate on HP Jetdirect, so supporting multiple certificates and things of that nature when Jetdirect is an SSL/TLS server are not an issue at the present time. • Because there is - HP Jetdirect 610n | HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS - Page 95
some popular HP Jetdirect products that do support SSL/TLS. This is not a comprehensive list and, as always, be sure to upgrade your Jetdirect to the latest firmware available for the best experience (http://www.hp.com/go/wja_firmware). • EIO print servers 610n, 615n, 620n, 625n, 630n, 635n with the
1
HP Jetdirect and SSL/TLS
June 2008
Table of Contents:
Introduction
.....................................................................................................................................
1
What is SSL/TLS?
............................................................................................................................
2
HTTPS Decoded
...............................................................................................................................
3
Digital Certificates
...........................................................................................................................
9
Public Key Infrastructure and Public Key Certificate Basics
..................................................................
12
SSL/TLS Protocol Basics
..................................................................................................................
20
Using HTTPS with HP Jetdirect
.........................................................................................................
26
A Detailed Look at the SSL/TLS Connection
.......................................................................................
52
SSL/TLS Server Settings
..................................................................................................................
60
HP Jetdirect as an SSL/TLS Client
.....................................................................................................
61
SSL/TLS Client: Understanding Certificate Chains
..............................................................................
77
SSL/TLS Client: Certificates and Name Verification
............................................................................
83
IPP over SSL/TLS
............................................................................................................................
89
HP Jetdirect Certificate Guidelines
....................................................................................................
94
Embedded Devices and Digital Certificates
.......................................................................................
94
Which HP Jetdirect Products Support SSL/TLS?
..................................................................................
95
Summary
......................................................................................................................................
95
Introduction
HP Jetdirect introduced SSL/TLS support in early 2002 with the 615n EIO Print Server.
A free
firmware upgrade allowed the 610n EIO print server, shipped in 2000, the same capability.
Suddenly, a few million HP Jetdirect EIO cards had SSL/TLS capability.
Why?
The answer was secure management.
HP printing and imaging devices were becoming more
complex and more feature oriented.
They were becoming valuable assets to a company’s
infrastructure.
Having the ability to use a browser to manage a device using HTTP was one thing,
using the same browser and using HTTPS to manage it securely was a great benefit.
Unfortunately,
many users of HTTPS are under a false sense of security because they have not deployed SSL/TLS
whitepaper