Printer cant comminucate with webserver

[magis010]

Hello,

I have a printer (HP OfficeJet Pro 8720) but the scan to mail option is making errors like it cant find the host or cant make a secure connection

I have tried port 587 and 465 What is going on with the settings from my webserver (It worked in the past untill some update)
On my phone there is no issue within the same network so its only my printer that seems making an issue from the mail thing.


Who knows how to sole this once and for all?

Thanks

 

[Richard G]

Ah yes... I know that one. Had the same issue with one of my customers.
Various HP printers do not support the modern TLS protocols. Which means if you have set the ssl options to anything better than intermediate, you will encounter this issue.
This should not be set to anything stronger in options.conf.
ssl_configuration=intermediate

To detect if you have the issue, check the output of this command:
nmap --script ssl-enum-ciphers -p 465 127.0.0.1

You should have someting liket his:

Host is up (0.00013s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

If you are missing the first 2 AES lines, then you have found your printer issue.

First request a new hostname certificate for your server and see if that fixes things:
/usr/local/directadmin/scripts/letsencrypt.sh request_single hostname.domain.com 4096

Then check again and see if the ciphers are present again. If yes, your printer should be able to use the scan to e-mail function again.

 

[magis010]

Ah yes... I know that one. Had the same issue with one of my customers.
Various HP printers do not support the modern TLS protocols. Which means if you have set the ssl options to anything better than intermediate, you will encounter this issue.
This should not be set to anything stronger in options.conf.
ssl_configuration=intermediate

To detect if you have the issue, check the output of this command:
nmap --script ssl-enum-ciphers -p 465 127.0.0.1

You should have someting liket his:

Host is up (0.00013s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

If you are missing the first 2 AES lines, then you have found your printer issue.

First request a new hostname certificate for your server and see if that fixes things:
/usr/local/directadmin/scripts/letsencrypt.sh request_single hostname.domain.com 4096

Then check again and see if the ciphers are present again. If yes, your printer should be able to use the scan to e-mail function again.

My config is looking like this:

ssl=1
ssl_cipher=HIGH:!aNULL:!MD5
ssl_configuration=intermediate
ssl_redirect_host=web1.axcz.nl

And the SSH thing looks like this:

[root@web1 ~]# nmap --script ssl-enum-ciphers -p 465 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2022-12-05 17:04 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds

do i need to do anything else?

* i ran the command it works now THANKS!