[sane-devel] Canon XK90 and TS8030 works with sane

WATANABE Kazuhiro CQG00620 at nifty.ne.jp
Sun Dec 12 09:46:34 GMT 2021 

Hi,  Thanks for your effort!

On Thu, 09 Dec 2021 22:23:46 +0900,
Thierry Huchard wrote:
> Le 2021-12-09 09:16, Thierry Huchard a écrit :
> > Le 2021-12-08 09:18, WATANABE Kazuhiro a écrit :
> >> On Tue, 07 Dec 2021 22:06:14 +0900,
> >> Thierry Huchard wrote:
> >>> Le 2021-12-07 13:44, WATANABE Kazuhiro a écrit :
> >>> > Hi,
> >>> >
> >>> > On Tue, 07 Dec 2021 17:44:46 +0900,
> >>> > Thierry Huchard wrote:
> >>> >> Le 2021-12-06 10:37, WATANABE Kazuhiro a écrit :
> >>> >> > Hi, all.
> >>> >> >
> >>> >> > I have tested my Canon XK90 with the following environment.
> >>> >> >
> >>> >> >  sane-backends-1.0.32_7
> >>> >> >  sane-airscan-0.99.26
> >>> >> >  xsane-0.999_6
> >>> >> >  FreeBSD 12.2-RELEASE
> >>> >> >
> >>> >> > | $ scanimage -V
> >>> >> > | scanimage (sane-backends) 1.0.32; backend version 1.0.32
> >>> >> > | $ scanimage -L
> >>> >> > | device `pixma:04A918B6_103859' is a CANON Canon PIXUS XK90 Series
> >>> >> > multi-function peripheral
> >>> >> > | device `escl:https://192.168.0.108:443' is a Canon XK90 series
> >>> >> > platen scanner
> >>> >> > | device `airscan:e0:Canon XK90 series' is a eSCL Canon XK90 series
> >>> >> > ip=192.168.0.108
> >>> >> > | $
> >>> >> >
> >>> >> > Scanning all supported resolutions (up to 1200dpi) is good with both
> >>> >> > sane-pixma and sane-airscan.  Monochrome scan is also fine.
> >>> >> >
> >>> >> > By the way, sane-escl doesn't work at all.
> >>> >> >
> >>> >> > | $ scanimage -d 'escl:https://192.168.0.108:443' -o test.pnm
> >>> >> > | scanimage: open of device escl:https://192.168.0.108:443 failed:
> >>> >> > Invalid argument
> >>> >> > | $
> >>> >> Can you provide me with the log file?
> >>> >> SANE_DEBUG_ESCL=255 scanimage -d 'escl:https://192.168.0.108:443' -o
> >>> >> test.pnm 2> escl-xk90.log
> >>> >>
> >>> >> Thierry
> >>> >
> >>> > OK.  The log is:
> >>> >
> >>> > *****
> >>> > [21:12:28.116002] [sanei_debug] Setting debug level of escl to 255.
> >>> > [21:12:28.116178] [escl] escl sane_init
> >>> > [21:12:28.118200] [escl] escl sane_open
> >>> > [21:12:28.118222] [escl] escl_parse_name
> >>> > [21:12:28.135446] [escl] escl_curl_url: URL:
> >>> > https://192.168.0.108:443/eSCL/ScannerCapabilities
> >>> > [21:12:28.135919] [escl] Before use hack
> >>> > [21:12:28.135933] [escl] After use hack
> >>> > [21:12:28.135942] [escl] Ignoring safety certificates, use https
> >>> > [21:12:28.180634] [escl] The scanner didn't respond: SSL connect error
> >>> > scanimage: open of device escl:https://192.168.0.108:443 failed:
> >>> > Invalid argument
> >>> > [21:12:28.180750] [escl] escl sane_exit
> >>> > *****
> >>> 
> >>> Thanks for your log feedback!
> >>> Can you test this?
> >>> 
> >>> Can you provide me with the log file?
> >>> SANE_DEBUG_ESCL=255 scanimage -d 'escl:http://192.168.0.108:80' -o
> >>> test.pnm 2> escl-xk90-2.log
> >>> 
> >>> Thierry
> >> 
> >> It works without any error.  The log file is here:
> >> 
> >>  https://drive.google.com/drive/folders/13RlFS3mbX_17Q4VeWImqIHgd7zSm0Fjg
> > 
> > On the libcurl discussion thread, I am referred to this issue:
> > https://github.com/curl/curl/issues/5356
> > 
> >> Dan Fandrich via curl-library wrote :
> >>  Could it be similar to Github issue #5356? Namely, the scanner is
> >> running
> >>  years-old firmware that uses a long-obsolete TLS version and
> >> OpenSSL is
> >>  now refusing to talk to it for security reasons? What TLS back-end
> >> is your
> >>  libcurl using? What TLS version does the scanner want to use?
> > 
> > On FreeBSD 12.2-RELEASE, the version of OpenSSL is 1.1.1k and curl
> > is 7.73.0
> > If I'm not mistaken, then the problem seems to come from the firmware
> > of the device.
> > I think I can fix it by testing the https connection and if it fails
> > switch to http connection.

XK90 has been sold since Aug 8 2020, and we bought it at last month.
The factory default firmware is version 1.020, and the latest firmware
is 1.030 (release date is unknown).

Canon does not descrive anywhere what is changed with this update.
So I have contacted to the local customer service and asked about the
update.  They told me that the update is "Change of the security
specification".  I thought it was a good news.

I've updated the firmware today.  Unfortunately there is no change
about the problem.  Ugh...


> Hi Kazuhiro,
> Can you give me the log file of this command?
> 
> curl -vk https://192.168.yyy.xxx/eSCL/ScannerCapabilities
> 
> Thierry

* Environment

| $ uname -a
| FreeBSD aquarius-vm.sign.local 12.2-RELEASE-p11 FreeBSD 12.2-RELEASE-p11 r370982 GENERIC  amd64
| $ openssl version
| OpenSSL 1.1.1h-freebsd  24 Aug 2021
| $ curl --version
| curl 7.79.1 (amd64-portbld-freebsd12.2) libcurl/7.79.1 OpenSSL/1.1.1h zlib/1.2.11 libssh2/1.9.0 nghttp2/1.44.0
| Release-Date: 2021-09-22
| Protocols: dict file ftp ftps gopher gophers http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
| Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
| $

By default, curl fails to connect.

| $ curl -vk https://192.168.0.108/eSCL/ScannerCapabilities
| *   Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| *  CAfile: /usr/local/share/certs/ca-root-nss.crt
| *  CApath: none
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS alert, handshake failure (552):
| * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
| * Closing connection 0
| curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
described above.

| $ curl -vk --tls-max 1.1 https://192.168.0.108/eSCL/ScannerCapabilities
| *   Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| *  CAfile: /usr/local/share/certs/ca-root-nss.crt
| *  CApath: none
| * TLSv1.1 (OUT), TLS handshake, Client hello (1):
| * TLSv1.1 (IN), TLS handshake, Server hello (2):
| * TLSv1.1 (IN), TLS handshake, Certificate (11):
| * TLSv1.1 (IN), TLS handshake, Server finished (14):
| * TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
| * TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.1 (OUT), TLS handshake, Finished (20):
| * TLSv1.1 (IN), TLS handshake, Finished (20):
| * SSL connection using TLSv1.1 / AES256-SHA
| * ALPN, server did not agree to a protocol
| * Server certificate:
| *  subject: CN=192.168.0.108
| *  start date: Jan  1 00:00:00 2019 GMT
| *  expire date: Dec 31 23:59:59 2038 GMT
| *  issuer: CN=CanonIJProductF8A26DA2A5240001
| *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
| > GET /eSCL/ScannerCapabilities HTTP/1.1
| > Host: 192.168.0.108
| > User-Agent: curl/7.79.1
| > Accept: */*
| > 
| * Mark bundle as not supporting multiuse
| < HTTP/1.1 200 OK
| < MIME-Version: 1.0
| < Transfer-Encoding: chunked
| < Content-Type: text/xml
| < Connection: close
(snip)
| * TLSv1.1 (IN), TLS alert, close notify (256):
| * TLSv1.1 (OUT), TLS alert, close notify (256):
| $ 

FYI, Firefox (91.3.0esr and 95.0) can connect to XK90 with TLS1.2.

-- 
WATANABE Kazuhiro (CQG00620 at nifty.ne.jp)

More information about the sane-devel mailing list