No subject


Wed Mar 2 09:44:18 PST 2011


  2011-03-03 13:04:49,904 DEBUG: Querying openprinting.org database...
  2011-03-03 13:04:49,904 DEBUG:    ... querying for MFG:Epson;MDL:Stylus N=
X110;
  2011-03-03 13:04:56,203 DEBUG: OpenPrintingDriverDB: driver driver/epson-=
stylus-nx110-series info: {'nonfreesoftware': True, 'name': 'epson-stylus-n=
x110-series', 'license': 'LGPL and SEIKO EPSON CORPORATION SOFTWARE LICENSE=
 AGREEMENT', 'url': 'http://avasys.jp/english/linux_e/', 'thirdpartysupplie=
d': False, 'supportcontacts': [{'url': 'http://avasys.jp/english/linux_e/co=
ntact/', 'name': 'AVASYS Corporation', 'level': 'voluntary'}], 'recommended=
': True, 'functionality': {'text': '100', 'lineart': '100', 'photo': '100',=
 'graphics': '100'}, 'manufacturersupplied': True, 'licensetext': u'License=
 agreement fo..', 'supplier': 'Seiko Epson Corporation', 'freesoftware': Fa=
lse, 'packages': {'i386': {'epson-inkjet-printer-stylus-nx110-series_1.0.0-=
1lsb3.2_i386.deb': {'url': 'http://linux.avasys.jp/drivers/lsb/epson-inkjet=
/stable/debian/dists/lsb3.2/main/binary-i386/epson-inkjet-printer-stylus-nx=
110-series_1.0.0-1lsb3.2_i386.deb', 'pkgsys': 'deb', 'repositories': {'apt'=
: 'deb http://linux.avasys.jp/drivers/lsb/epson-inkjet/stable/debian/ lsb3.=
2 main'}, 'version': '1.0.0', 'fingerprint': 'https://linux.avasys.jp/drive=
rs/lsb/epson-inkjet/key/fingerprint', 'release': '1', 'realversion': '1.0.0=
'}}}, 'shortdescription': 'Epson Inkjet Printer Driver for Linux', 'patents=
': False}
  2011-03-03 13:04:56,252 WARNING: https://linux.avasys.jp/drivers/lsb/epso=
n-inkjet/key/fingerprint has invalid certificate, ignoring driver: Host 172=
.xx.xx.xx:8080 returned an invalid certificate (_ssl.c:499: error:140770FC:=
SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
=09
  2011-03-03 13:04:56,252 DEBUG: Ignoring driver as it does not have a vali=
d GPG fingerprint
  2011-03-03 13:04:56,253 DEBUG: openprinting.org database query finished

We've chased the WARNING statement down to the connect method of
_CertValidatingHTTPSConnection in jockey's verified_https.py

   def connect(self):
        sock =3D socket.create_connection((self.host, self.port))
        self.sock =3D ssl.wrap_socket(sock, cert_reqs=3Dssl.CERT_REQUIRED,
                                          ca_certs=3Dself.ca_certs)
        cert =3D self.sock.getpeercert()
        hostname =3D self.host.split(':', 0)[0]
        if not self._validate_certificate_hostname(cert, hostname):
            raise InvalidCertificateException(hostname, cert,
                                              'hostname mismatch')

The ssl.wrap_socket raises an ssl.SSLError.  What puzzles us is that
this method creates a connection to the _proxy_ rather than to the host
where the fingerprint resides.  The wireshark capture for a wget went
straight to the latter host and negotiated TLSv1 with the proxy on the
fly.

We've also played with passing different ssl_version parameters to
ssl.wrap_socket but that didn't help.  We're not sure whether this
method negotiates a usable version but if it doesn't that something that
probably needs fixing as well.

Hope this helps,
--=20
Olaf Meeuwissen, LPIC-2           FLOSS Engineer -- AVASYS CORPORATION
FSF Associate Member #1962               Help support software freedom
                 http://www.fsf.org/jf?referrer=3D1962


More information about the Printing-architecture mailing list