[Nut-upsdev] [nut-commits] svn commit r2809 -branches/ssl-nss-port/server

Tue Jan 11 09:23:32 UTC 2011

2011/1/10 Arjen de Korte <nut+devel at de-korte.org <nut%2Bdevel at de-korte.org>>

> Citeren EmilienKia at Eaton.com:
>
>
>  The main reason is to homogenize directive names between apps (mainly
>> upsmon which uses CERTPATH and upsd which uses CERTNAME) to set the same
>> property.
>>
>
> Why? The use of CERTFILE (OpenSSL only) and CERTPATH/CERTIDENT/CERTREQUEST
> (NSS only) is completely different. We have nothing to gain by reducing the
> number of directives here, since we will need different instructions on how
> to fill them anyway.
>
> Using different names will help us help people much more easily, since the
> directives they see in upsd.conf will already tell us if NUT was build to
> use the OpenSSL or NSS libraries.
>
> Throughout NUT we should maintain a clear distinction whether a filename is
> needed (like CERTFILE) or a directory (STATEPATH, DATAPATH and CERTPATH).
>
>
>  Note that the CERTFILE directive is working but is just flagged as
>> deprecated.
>>
>
> Whatever.
>
>
>  As ssl support compilation is exclusive (only openssl or nss at the same
>> time), I do not see any reason to keep two directives in parallel (one per
>> compile profile) doing the same thing (pointing to the certificate database,
>> in the form of a single file or a directory).
>>
>
> These should be surrounded by #ifdef/#endif directives and make upsd
> complain loudly about directives it doesn't understand. So if someone is
> accidentally using CERTFILE if NUT was build with NSS, it should inform them
> right away (not when the certificate store is being accessed). Similar the
> other way around.
>
>
>  About configuration directive, only CERTFILE/CERTPATH change of content (a
>> directory instead of a file) but the semantic is kept unchanged. All other
>> SSL related directives are just for NSS mode. So generate different
>> .conf.sample files is IMHO disproportionate related to the too few
>> alterations. Perhaps add few lines of comment in these .conf.sample files?
>>
>
> You forget about the amount of problems we will see when people start
> switching over from OpenSSL to NSS. There is pretty much nothing to gain by
> consolidating these directives into one. What's wrong with
>
> # CERTFILE <certificate file> (OpenSSL only)
> # CERTFILE /usr/local/ups/etc/upsd.pem
>
> # CERTPATH <certificate directory> (NSS only)
> # CERTPATH /usr/local/ups/etc/cert/upsd
>
> # CERTIDENT <certificate name> <database password> (NSS only)
> # CERTIDENT "my nut server" "MyPasSw0rD"
>
> # CERTREQUEST <certificate request level> (NSS only)
> # CERTREQUEST [0|1|2]
> #  - 0 to not request to clients to provide any certificate
> #  - 1 to require to all clients a certificate
> #  - 2 to require to all clients a valid certificate
>
> At best we would add some autoconf magic to only include the parts that are
> used (so that we don't clutter the configuration files with directives that
> are not used), but for the time being the above might be good enough.
>
> I'm one of the old dogs around here and even I already have problems
> setting this up (let alone the novice NUT users that try to make this work).

valid points!

Emilien, can you please adapt the code as per the above.
I'll check how we can condition the conf sample and highlight the SSL
support type in the doc.

cheers,
Arnaud
-- 
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110111/ccd521f4/attachment-0001.htm>