Chris,
I'm not sure that this attack applies to the usage in IPP - "ipp" URIs default to unencrypted and can be opportunistically upgraded to TLS, and "ipps" URIs are always encrypted. The other protocols listed in the attack paper do not explicitly identify when encryption is required - that is what enables the attack.
> On May 11, 2026, at 11:58 AM, Christopher Rizzo via ipp <ipp at pwg.org> wrote:
>> Apache HTTP server removed support for RFC 2817 due to this attack
> CVE-2025-49812
> Should RFC 2817 test in IPP Everywhere Cert be removed and requirement deprecated?
> Either that or vendors using Apache HTTP server to support IPP need to add code or one off patch to Apache in order to restore support for RFC 2817.
> Thanks,
> Chris
> Christopher Rizzo
> Engineer II, Software Engineering
> Design & Development Engineering
> <image001.png> Xerox Corporation
> Virtual Office Employee
> 26600 SW Parkway Ave
> Wilsonville, OR 97070
> <image002.png> <image003.png> <image004.png> <image005.png> <image006.png> _______________________________________________
> ipp mailing list
>ipp at pwg.org>https://www.pwg.org/mailman/listinfo/ipp
________________________
Michael Sweet