Configure how the Print Provider communicates over HTTPS

PaperCut NG and PaperCut MF offer you the ability to configure the Print Provider (the component that tracks and controls print jobs) to communicate over HTTPS. 

The following types of configurations are available:

• TLS minimum versions
• TLS maximum versions
• Ciphers
• Strict SSL certificate checking
• Self-signed certificate use
• HTTPS ports
• Custom certificate stores on Linux operating systems

How to change the configuration

All configuration is controlled by the print-provider.conf file located in the Print Provider, Secondary Print Provider, or Direct Print Monitor installation directory, examples include:

Windows

• C:\Program Files\PaperCut MF\providers\print\win\
• C:\Program Files\PaperCut NG\providers\print\win\

macOS

• /Applications/PaperCut MF/providers/print/mac/
• /Applications/PaperCut NG/providers/print/mac/

linux (64-bit)

• /home/papercut/providers/print/linux-x64/

This file requires administrator privileges to change, either elevation through UAC on Windows or sudo/root access on macOS and Linux. You must also restart the Print Provider after making changes to this file.

Basic reference configuration

To enable HTTPS, set the following in the print-provider.conf file:

• TLS=on
• ApplicationServerPort=9195
• Leave #TLSVerifyCertificate commented out.

For example:

ApplicationServer=127.0.0.1
ApplicationServerPort=9195
TLS=on
#TLSVerifyCertificate=true

Strict Secure reference configuration

Enabling HTTPS is done by setting the following in the print-provider.conf file:

• TLS=on
• TLSVerifyCertificate=true
• ApplicationServerPort=9195
• Configuring a FQDN in the ApplicationServer key.

For example:

ApplicationServer=printserver.company.tld
ApplicationServerPort=9195
TLS=on
TLSVerifyCertificate=true

TLSv1.3 minimum reference configuration

To configure the Print Provider to use a minimum of TLS 1.3 you must first “enable strong defaults” in the PaperCut NG/MF Application server as described here: SSL Cipher Configuration - removing weak ciphers .

Once server.ssl.using-strong-defaults has been set and the PaperCut Application Server service has been restarted you will be able to use TLS 1.3.

ApplicationServer=printserver.company.tld
ApplicationServerPort=9195
TLS=on
TLSMinProtocolVersion=TLSv1.3
TLSMaxProtocolVersion=TLSv1.3

Custom Cipher reference configuration

If your organization has a need to specify a list of ciphers or suite of ciphers for use by your organization then this can be configured with the TLSCipherSuites key. Please refer to the curl website documentation for a starting place to generate an appropriate string of cipher names to use: curl.se - SSL Ciphers .

Example:

TLSCipherSuites="NULL-SHA256 AES128-SHA256 AES256-SHA256 AES128-GCM-SHA256
AES256-GCM-SHA384 DH-RSA-AES128-SHA256 DH-RSA-AES256-SHA256 DH-RSA-AES128-GCM-SHA256
DH-RSA-AES256-GCM-SHA384 DH-DSS-AES128-SHA256 DH-DSS-AES256-SHA256 DH-DSS-AES128-GCM-SHA256
DH-DSS-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES128-SHA256 DHE-DSS-AES256-SHA256 DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ADH-AES128-SHA256 ADH-AES256-SHA256
ADH-AES128-GCM-SHA256 ADH-AES256-GCM-SHA384 AES128-CCM AES256-CCM DHE-RSA-AES128-CCM
DHE-RSA-AES256-CCM AES128-CCM8 AES256-CCM8 DHE-RSA-AES128-CCM8 DHE-RSA-AES256-CCM8
ECDHE-ECDSA-AES128-CCM ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES256-CCM8"

Line breaks have been added for readability.

In-built defaults

23.0.x and later

Below are the default contents of the print-provider.conf for new installations. They are intended to provide sensible defaults as you progressively configure your PaperCut NG/MF installation.

The default behavior of the application when a configuration key is not present or is commented out is included for each key. Full details are available below:  Detailed default configuration .

• ApplicationServer=127.0.0.1 - localhost
• #ApplicationServerPort=9191 - 9191 (HTTP)
• #TLS=on - false/off
• #TLSMinProtocolVersion=TLSv1.2 - TLSv1.2
• #TLSMaxProtocolVersion=TLSv1.3 - TLSv1.2
• #TLSVerifyCertificate=true - false/off
• #TLSCipherSuites="" - ""
• (Linux only) #TLSCABundlePath=/etc/ssl/certs/ca-certificates.crt - the following locations will be used by default:
  • /etc/ssl/certs/ca-certificates.crt (available in most Debian based distributions)
  • /etc/ssl/certs/ca-bundle.crt (available in most Redhat based distributions)

Frequently Asked Questions

I only have one print server and no direct printing clients. Do I need to enable this?

Enabling HTTPS communication is best practice.

By default, the print-provider.conf has the following configured defaults:

• ApplicationServer=127.0.0.1
• #ApplicationServerPort=9191
• #TLS=on
• #TLSVerifyCertificate=true

This means you need only change the ApplicationServerPort to 9195 and TLS to on.

Can I use HTTPS with Site Servers?

Yes, with one caveat: you must use consistent HTTPS ports across Site Servers and Application Servers. If 9195 or 9192, or even 443 are used for an Application Server, you must use the same combination on a Site Server.

How do I know HTTPS is enabled?

You can verify that the Print Provider is using HTTPS (TLS) by opening the print-provider.log in your preferred log reader and looking for the startup log entry that looks similar to:

2023-08-29 16:34:00,529 INFO : PCPrintService.cpp:154 - Starting print
provider service. Version: 109.32.0.7139-BE41B33 (bundled with 22.1.4.67128), Arch:
x64, PID: 23000, Hostname: print-server, AppServer: print-server.company.tld:9192,
User: SYSTEM, Direct printing mode: off, Serverless printing mode: off TLS: true, 
Verify certificate: true [16576]

Line breaks have been added for readability.

How do I enable strict SSL checking?

To ensure that only CA signed certificates are trusted, set  TLSVerifyCertificate=true 

How do I enable CRLs?

Certificate revocation list (a list of certificates that have been revoked by issuing Certificate Authorities or CRLs) are being phased out in general use due to various technical issues and as such are not supported.

Print Deploy configuration

Please refer to the Print Deploy documentation: Configure the Direct Print Monitor for large sites .

Troubleshooting

A good place to start diagnosing an issue when configuring how the Print Provider uses HTTPS is it’s print-provider.log located below:

Windows:

• C:\Program Files\PaperCut MF\providers\print\win\
• C:\Program Files\PaperCut NG\providers\print\win\

macOS:

• /Applications/PaperCut MF/providers/print/mac/
• /Applications/PaperCut NG/providers/print/mac/

linux: (64bit)

• /home/papercut/providers/print/linux-x64/

By default the amount of logging is limited. Debug logging can be enabled as per this KB article: How to Enable Debug (collect logs) in the Print Provider . Debug logging will create much more information in the log file. Once things are working again it can be turned off.

SSL connect error log entry

2023-09-07 16:46:58,870 ERROR: https.c:469 - Send HTTP request: tried 0 time and failed: method=POST, URL=https://printserver.company.tld:9191/rpc/providers/xmlrpc, last error=SSL connect error [21472]

In this specific example a HTTPS connection has been attempted on the default HTTP port. Update the ApplicationServerPort key to a HTTPS port 9195 (default port).

SSL peer certificate or SSH remote key was not OK log entry

2023-09-07 16:56:44,662 ERROR: https.c:469 - Send HTTP request: tried 0 time and failed: method=POST, URL=https://print-server.company.tld:9195/rpc/providers/xmlrpc, last error=SSL peer certificate or SSH remote key was not OK [16052]

In this specific example a HTTPS connection has been attempted on the default HTTPS port and has failed due to a certificate verification check failure. This indicates that certificate used in the PaperCut NG/MF Application server is not trusted by the client, either because it is a self-signed certifcate and TLSVerifyCertificate=true has been incorrectly set or the certificate in use is no longer valid (expired, incorrect clocks, untrusted-root certificates).

Opening a browser to https://print-server.company.tld:9195 will give more details on the certificate status.

Microsoft Windows support for TLSv1.3

In Windows environments you must be running Windows 11 or Windows Server 2022 to support TLSv1.3. This is documented by Microsoft here: Protocols in TLS/SSL (Schannel SSP)