SSL Connection Issues with some Xerox devices and PaperCut
In PaperCut version 14 the underlying Java Runtime Environment (JRE) was upgraded from version 6 to version 7, furthermore in version 15.2 the JRE was upgraded to version 8. These upgrade of the runtime tighten security settings and defaults at multiple points in the software stack and have been found to cause interoperability issues with some Xerox devices.
The new security policies affect SSL communication between some devices and PaperCut application server and may result in aborted SSL handshakes and consequently result in non-functional logins from the device.
There are several variants of the problem.
Please note that references to <app-path> below refer to the path used for the PaperCut installation such as
C:\Program Files\PaperCut MF\
Before applying any of the below manual workarounds it is highly recommended to ensure that the latest firmware has been applied first. Only apply any recommended changes where the MFP does not provide new firmware updates that resolve the issues
Outbound SSL Communication Broken (PaperCut => Xerox Device)
NOTE: The default settings to correct the Outbound SSL Communication problem have been corrected in version 14.0 (build 26241) and later.
The variant of the Outbound SSL communication issue presents in the following manner:
- Logins fail from the device
- Debug log of the application server may show:
java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
- This problem is caused by use of older types of X.509/SSL certificates on the device. In Java 7 certificates using the MD2 signature or those using RSA keys of less than 1024 bits are rejected by default as a security measure
- Certificates on the device may be upgraded to use stronger parameters or the Java security policy adjusted to allow them back again.
For information about increased security settings on the JRE please refer to the Java release notes which can be found here (under Default x.509 Certificates Have Longer Key Length):
http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html
Manual Workaround for version 14.0 (build 25901) if no firmware update is available:
To adjust security policy to continue allowing these certificates to be used:
- Edit the java.security file
Windows:32 bit systems: <app-path>\runtime\jre\lib\security\java.security64 bit systems: <app-path>\runtime\win64\jre\lib\security\java.securityMac:<app-path>/runtime/mac/jre/Contents/Home/jre/lib/security/java.security
- Locate the following line:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
- Comment the line out by prefixing it with # or blank it out:
#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024Orjdk.certpath.disabledAlgorithms=
- Save and restart the application server
Outbound SSL Communication Broken (PaperCut => Xerox Device) (Scenario 2)
- Affects older devices such as Xerox 4112/5225, Xerox Color 550
- Logins fail from the device
- If debug log of the application server show:
java.net.SocketException: Unexpected end of file from server
- Java 7+ runtime prefers the use of stronger cryptographic ciphers during SSL handshakes, it prioritizes AES based ciphers ahead of 3DES for example. It seems that use of AES is problematic on these models.
- If debug log of the application server show:
java.net.SocketException: Software caused connection abort: recv failedjava.net.ssl.SSLException: Received fatal alert: bad_record_mac
NOTE: If you’re using Fuji Xerox photocopiers, there have been cases where updating to the latest available firmware resolves this issue. Reach out via https://support.papercut.com
- Java 8 runtime prefers use of TLS1.2 protocol for client (outbound) connections.
- Java 8 runtime prioritises 3DES cipher ahead of RC4 which is now deprecated. It seems that use of 3DES may be problematic on some models.
Manual Workaround for AES issue on version 14.0 (build 25901+) and other issues on version 15.2 (build 33661+) if no firmware update is available
Adjust Java security policy to exclude AES based cipher suites from being used in SSL handshakes:
- Edit the java.security file:
Windows:32 bit systems: <app-path>\runtime\jre\lib\security\java.security64 bit systems: <app-path>\runtime\win64\jre\lib\security\java.securityMac:<app-path>/runtime/mac/jre/Contents/Home/jre/lib/security/java.security
- Locate the following line:
jdk.tls.disabledAlgorithms=
- Add the following protocols and ciphers according to the affected devices:
For AES incompatible device, add AES based ciphers to the line, eg:jdk.tls.disabledAlgorithms=TLS_RSA_WITH_AES_128_CBC_SHAFor TLS1.1+ and/or 3DES incompatible device, add below to the line, eg:jdk.tls.disabledAlgorithms=TLSv1.1,TLSv1.2,DESedeIf your organization has BOTH AES incompatible AND TLS1.1+ / 3DES incompatible devices, add the following to the line, eg:jdk.tls.disabledAlgorithms=TLSv1.1,TLSv1.2,DESede,TLS_RSA_WITH_AES_128_CBC_SHA
- Save and restart the application server
NOTE: Any Manual workarounds performed on the java.security file may need to be re-applied on subsequent upgrades of the application server
Inbound SSL Communication Broken (Xerox Device => PaperCut) (SHA2)
NOTE: The default settings to correct the Inbound SSL Communication problem have been corrected in version 14.0 (build 26241) and later.
The variant of the Inbound SSL communication issue presents in the following manner:
- This problem was observed on Xerox models using a Fuji controller (e.g. Xerox 5330).
- SSL handshakes are terminated by the device after login or other connections are initiated.
- The problem occurs due to Java upgrading default signature algorithm for X.509/SSL certificates to SHA-2.
- Certificates automatically generated during new installs of PaperCut v14 (build 25901) used SHA-2 by default, these are not compatible with these devices and cause connectivity errors.
- Any custom issued certificates using SHA2 signatures would be problematic as well.
- Upgrades and installations of builds after 25901 that use automatically generated certificates do not need the below workaround.
Manual Workaround for installs using SHA2 certificates if no firmware update is available:
- Manually recreate the default certificate for the application keystore file found below with certificates using SHA-1 by using the keytool utility:
<app-path>\server\data\default-ssl-keystore
- Replace the default keystore with a generic keystore which can be obtained by requesting the “default-ssl-keystore” when contacting support.
Updating to the latest firmware/SPAR from Xerox
We have encountered several generic connectivity problems between Xerox devices and PaperCut where connections were unreliable or getting aborted which were resolved after applying the latest (yet to be officially published) firmware/SPAR from Xerox.
It is highly recommended when troubleshooting Xerox SSL issues to be on the most recent firmware. Recently, the unpublished firmware from December 2013 has provided resolution to several stability issues reported in addition to the above workarounds when using PaperCut MF.
See also: