[Nut-upsdev] [nut-commits] svn commit r2809 -branches/ssl-nss-port/server

Arjen de Korte nut+devel at de-korte.org
Mon Jan 10 20:47:46 UTC 2011 

Citeren EmilienKia op Eaton.com:

> The main reason is to homogenize directive names between apps  
> (mainly upsmon which uses CERTPATH and upsd which uses CERTNAME) to  
> set the same property.

Why? The use of CERTFILE (OpenSSL only) and  
CERTPATH/CERTIDENT/CERTREQUEST (NSS only) is completely different. We  
have nothing to gain by reducing the number of directives here, since  
we will need different instructions on how to fill them anyway.

Using different names will help us help people much more easily, since  
the directives they see in upsd.conf will already tell us if NUT was  
build to use the OpenSSL or NSS libraries.

Throughout NUT we should maintain a clear distinction whether a  
filename is needed (like CERTFILE) or a directory (STATEPATH, DATAPATH  
and CERTPATH).

> Note that the CERTFILE directive is working but is just flagged as  
> deprecated.

Whatever.

> As ssl support compilation is exclusive (only openssl or nss at the  
> same time), I do not see any reason to keep two directives in  
> parallel (one per compile profile) doing the same thing (pointing to  
> the certificate database, in the form of a single file or a  
> directory).

These should be surrounded by #ifdef/#endif directives and make upsd  
complain loudly about directives it doesn't understand. So if someone  
is accidentally using CERTFILE if NUT was build with NSS, it should  
inform them right away (not when the certificate store is being  
accessed). Similar the other way around.

> About configuration directive, only CERTFILE/CERTPATH change of  
> content (a directory instead of a file) but the semantic is kept  
> unchanged. All other SSL related directives are just for NSS mode.  
> So generate different .conf.sample files is IMHO disproportionate  
> related to the too few alterations. Perhaps add few lines of comment  
> in these .conf.sample files?

You forget about the amount of problems we will see when people start  
switching over from OpenSSL to NSS. There is pretty much nothing to  
gain by consolidating these directives into one. What's wrong with

# CERTFILE <certificate file> (OpenSSL only)
# CERTFILE /usr/local/ups/etc/upsd.pem

# CERTPATH <certificate directory> (NSS only)
# CERTPATH /usr/local/ups/etc/cert/upsd

# CERTIDENT <certificate name> <database password> (NSS only)
# CERTIDENT "my nut server" "MyPasSw0rD"

# CERTREQUEST <certificate request level> (NSS only)
# CERTREQUEST [0|1|2]
#  - 0 to not request to clients to provide any certificate
#  - 1 to require to all clients a certificate
#  - 2 to require to all clients a valid certificate

At best we would add some autoconf magic to only include the parts  
that are used (so that we don't clutter the configuration files with  
directives that are not used), but for the time being the above might  
be good enough.

I'm one of the old dogs around here and even I already have problems  
setting this up (let alone the novice NUT users that try to make this  
work).

Best regards, Arjen
-- 
Please keep list traffic on the list (off-list replies will be rejected)

More information about the Nut-upsdev mailing list