SSL Connection Issues with some Xerox devices and PaperCut
KB Home | SSL Connection Issues with some Xerox devices and PaperCut
In PaperCut version 14 the underlying Java Runtime Environment (JRE) was upgraded from version 6 to version 7, furthermore in version 15.2 the JRE was upgraded to version 8.
These upgrade of the runtime tighten security settings and defaults at multiple points in the software stack and have been found to cause interoperability issues with some Xerox devices.
The new security policies affect SSL communication between some devices and PaperCut application server and may result in aborted SSL handshakes and consequently result in non-functional logins from the device.
There are several variants of the problem.
Please note that references to <app-path> below refer to the path used for the PaperCut installation such as
C:\Program Files\PaperCut MF\
Before applying any of the below manual workarounds it is highly recommended to ensure that the latest firmware has been applied first. Only apply any recommended changes where the MFP does not provide new firmware updates that resolve the issues
Outbound SSL Communication Broken (PaperCut => Xerox Device)
NOTE: The default settings to correct the Outbound SSL Communication problem have been corrected in version 14.0 (build 26241) and later.
The variant of the Outbound SSL communication issue presents in the following manner:
Logins fail from the device
Debug log of the application server may show:
java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
This problem is caused by use of older types of X.509/SSL certificates on the device. In Java 7 certificates using the MD2 signature or those using RSA keys of less than 1024 bits are rejected by default as a security measure
Certificates on the device may be upgraded to use stronger parameters or the Java security policy adjusted to allow them back again.
For information about increased security settings on the JRE please refer to the Java release notes which can be found here (under Default x.509 Certificates Have Longer Key Length):
Outbound SSL Communication Broken (PaperCut => Xerox Device) (Scenario 2)
Affects older devices such as Xerox 4112/5225, Xerox Color 550
Logins fail from the device
If debug log of the application server show:
java.net.SocketException: Unexpected end of file from server
Java 7+ runtime prefers the use of stronger cryptographic ciphers during SSL handshakes, it prioritizes AES based ciphers ahead of 3DES for example. It seems that use of AES is problematic on these models.
NOTE: Any Manual workarounds performed on the java.security file may need to be re-applied on subsequent upgrades of the application server
Inbound SSL Communication Broken (Xerox Device => PaperCut) (SHA2)
NOTE: The default settings to correct the Inbound SSL Communication problem have been corrected in version 14.0 (build 26241) and later.
The variant of the Inbound SSL communication issue presents in the following manner:
This problem was observed on Xerox models using a Fuji controller (e.g. Xerox 5330).
SSL handshakes are terminated by the device after login or other connections are initiated.
The problem occurs due to Java upgrading default signature algorithm for X.509/SSL certificates to SHA-2.
Certificates automatically generated during new installs of PaperCut v14 (build 25901) used SHA-2 by default, these are not compatible with these devices and cause connectivity errors.
Any custom issued certificates using SHA2 signatures would be problematic as well.
Upgrades and installations of builds after 25901 that use automatically generated certificates do not need the below workaround.
Manual Workaround for installs using SHA2 certificates if no firmware update is available:
Manually recreate the default certificate for the application keystore file found below with certificates using SHA-1 by using the keytool utility:
Replace the default keystore with a generic keystore which can be obtained by requesting the “default-ssl-keystore” when contacting support.
Updating to the latest firmware/SPAR from Xerox
We have encountered several generic connectivity problems between Xerox devices and PaperCut where connections were unreliable or getting aborted which were resolved after applying the latest (yet to be officially published) firmware/SPAR from Xerox.
It is highly recommended when troubleshooting Xerox SSL issues to be on the most recent firmware. Recently, the unpublished firmware from December 2013 has provided resolution to several stability issues reported in addition to the above workarounds when using PaperCut MF.
This release contains an updated Java version which no longer supports 32-bit workstations. If you have any 32-bit users launching the User Client or Release Station from a network share, see this Knowledge Base article for more information.