HP Printer web-interface over HTTPS

[contink]

Thought I'd make a note of this as it's one that's bugged me for a while and I never realised the source until now.

Symptoms:
- More than one network equipped HP printer on your network.
- Https connection to the web interface of one printer works ok
- Https connection to a different printer gives error that the certificate serial number has already been associated to a different hardware item
- Firefox in particular refuses to let you connect to any additional printers in this way.

Cause:
- HP Have only created a single security certificate for all their printers so firefox throws out the bathwater and refuses to connect

Solution #1:
- Connect to the printers using IE (it doesn't get so uppity)
- Turn off HTTPS redirect required in the network settings
- Repeat for each printer
- Use HTTP to connect to the printers from here on out.

Solution #2:
- Use IE

Solution #3:
- Accept certificates for session only (not permanent)
- Only ever connect to one printer during a session
- Shutdown and restart your firefox browser each time you want to go to a different printer.


Nice eh?




Ref: The full error (minus the bit about contacting your admin)

You have recieved an invalid certificate. (snip)

Your certificate contains the same serial number as another certificate issues by the certificate authority. Please get a new certificate containing a unique serial number.

[SYNACK]

Lame in some respects on the part of hp but understandable in others.

As the certs are stored in firmware there are only a couple of ways around this would be to compile a new firmware image on the fly for each printer on their server and to download once for each printer. The only other way would be to include their private certificate in the firmware and have each printer generate a unique key when it is first plugged in. The issue with this method is that someone could crack open their firmware and sign certs as hp thereby opening up people who trust hp certs to be infiltrated by fake certs.

Surely there must be something in firefox's about:config page to disable this behavior though.

[Geoff]

Our Colour Laserjet 5500 allows you to upload your own certs + keychain bundle.

[contink]

Our Colour Laserjet 5500 allows you to upload your own certs + keychain bundle.

No such luck with the Officejet line... Granted this is only the K550, K5400, L7680 I've checked so far..

[Geoff]

Doesn't surprise me, the 5500 is a bit of heavyweight with more bells and whistles than you can shake a stick at. Where as the officejets you mention are a little more, budget?

[contink]

Doesn't surprise me, the 5500 is a bit of heavyweight with more bells and whistles than you can shake a stick at. Where as the officejets you mention are a little more, budget?

Aye...

Just found that the K8600 is the same as the others but has a few nice little bells over the other models.. but that's a whole other topic.

[Ric_]

Couldn't you install the WebJet Admin software on a machine and view that over HTTPS? This then gives you a pretty console of all your printers - plus there's more info than some of the more basic printers/JD cards care to offer you

[SimpleSi]

Sorry - https - to a printer ???

I know I'm at the loose end of the security spectrum but ...

Go on - educate me - why use https?

regards

Simon

[contink]

Sorry - https - to a printer ???

I know I'm at the loose end of the security spectrum but ...

Go on - educate me - why use https?

Hey, don't blame me... The goons at HP came up with this beauty

I think it's just to avoid folks being able to figure out your admin security and mess with the IP settings, etc.. on the printer.

Anyways... I just reported the problem so folks could be aware if they hit it...