Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support
Search

Configuring TLS Protocols and Cipher Suites

This page applies to:

PaperCut uses TLS (Transport Layer Security) to encrypt and protect data in transit. This article guides you through configuring TLS protocols and cipher suites to enhance security or ensure compatibility with older clients.

TLS is a newer protocol that replaced SSL (Secure Sockets Layer). However, you may notice that we use both acronyms in PaperCut NG/MF and in this article. So if you see “SSL” anywhere, please assume we mean “TLS.”

How does this work? TLS protocols and cipher suites are managed through a file called server.properties in the PaperCut NG/MF application directory. After editing this file with a text editor, the PaperCut Application Server service must be restarted for changes to take effect.

Keep reading to see a couple example configurations for quick reference, followed by a deeper dive into what each setting does.

Example configuration - Strong Defaults

Looking for a quick way to bolster security without reading this entire article? Follow these steps to disable legacy protocols (like SSLv3.0, TLSv1.0, TLSv1.1) and enable modern stronger cryptography (like TLSv1.3).

To enable stronger ciphers and protocols:

  1. Using a text editor such as Notepad running with admin privileges, open the server.properties file. Locate this file in the PaperCut application directory [app-path]/server/server.properties. (On a 64-bit Windows server running PaperCut MF, the path might be C:\Program Files\PaperCut MF\server\server.properties.)
  2. Add the lines:
server.ssl.protocols=auto
server.ssl.cipher-suites=auto
server.ssl.using-strong-defaults=Y
  1. Save the file.
  2. Restart the PaperCut Application Server Service .
  3. Test each device (particularly older copiers) to ensure they are still able to connect to the server.

Example configuration - TLSv1.3 Only

Wanting to only allow the most up to date protocol, TLSv1.3 and it’s associated ciphers? This configuration is may be more secure than the previous example, but should come with a warning that some devices, particularly older printer hardware, may not be compatible. Reach out to your hardware vendor if you have any questions about TLSv1.3 support.

To only allow TLSv1.3 protocols and ciphers:

  1. Using a text editor such as Notepad running with admin privileges, open the server.properties file. Locate this file in the PaperCut application directory [app-path]/server/server.properties. (On a 64-bit Windows server running PaperCut MF, the path might be C:\Program Files\PaperCut MF\server\server.properties.)
  2. Add the lines:
server.ssl.protocols=TLSv1.3
server.ssl.cipher-suites=TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
server.ssl.using-strong-defaults=Y
  1. Save the file.
  2. Restart the PaperCut Application Server Service .
  3. Test each device (particularly older copiers) to ensure they are still able to connect to the server.

Security settings in detail

server.ssl.protocols

It’s possible to manually configure exactly which protocols the PaperCut NG or MF server is allowed to use, like TLSv1.3.

Uncomment the line server.ssl.cipher-suites=auto in the server.properties file for a quick selection of recommended protocols. If more specific control is needed, you may replace “auto” with a comma-separated list of protocols (for example TLSv1.2, TLSv1.3). Up-to-date examples can be found in the server.properties.template file.

If server.ssl.using-strong-defaults is already enabled, configuring server.ssl.protocols can be used to further limit the allowed protocols rather than override the setting.

server.ssl.cipher-suites

It’s possible to manually configure exactly which ciphers the PaperCut NG or MF server is allowed to use (such as the fan-pleasing favorite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).

Uncomment the line server.ssl.cipher-suites=auto in the server.properties file for an automatic selection of stronger, more secure ciphers. For more explicit control, you may replace “auto” with a comma-separated list of ciphers. Up-to-date examples can be found in the server.properties.template file and a full list of valid cipher suites can be found in Oracle’s documentation .

If server.ssl.using-strong-defaults is already enabled, configuring server.ssl.cipher-suites can be used to further limit the allowed ciphers rather than override the setting.

server.ssl.using-strong-defaults

What exactly does this do? Toggling this setting on by uncommenting the line server.ssl.using-strong-defaults=Y enables the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy . This institutes several changes including…

  • Disables older protocols like SSLv3.0
  • Disables legacy ciphers such as RC4, 3DES
  • Increases Diffie-Hellman key sizes
  • Uses stronger Elliptic Curve families
  • Enables the TLSv1.3 protocol and compatible ciphers

If server.ssl.using-strong-defaults is enabled, configuring server.ssl.protocols or server.ssl.cipher-suites will further limit the allowed protocols and ciphers.

Additional TLS Settings

The following settings can also be found in the server.properties file and can be customized to suit your needs:

  • Cipher Order: The server.ssl.follow-client-cipher-order setting determines whether the server or client’s cipher suite preference is followed. For more information, visit Cipher Order on Wikipedia .
  • SNI Host Check: The server.ssl.sni-host-check-enabled option controls the enforcement of Server Name Indication (SNI) host checks. Learn more about SNI Host Check on Wikipedia .
  • Debug Output: The server.ssl.debug-output option enables or disables detailed debug information for troubleshooting purposes. Refer to the PaperCut SSL Debug Guide for more details. Caution: this debug logging generates extremely verbose output and has been seen to cause server performance issues when enabled in production environments. It is not normally needed for troubleshooting.

Recommendations and Best Practices

  • Security Best Practices: Regularly review and update TLS configurations to align with the latest security standards.
  • Restart the service for changes to take effect: Remember to restart the PaperCut Application server after editing the server.properties file to ensure changes take effect.
  • Testing: Always test new configurations in a non-production environment before applying them in live systems to avoid potential disruptions.
  • Validation: After making changes, consider using a third-party network scanning tool, such as NMAP, to validate exactly which ciphers and protocols are in use.

Comments