[Nut-upsdev] [nut-commits] svn commit r2809-branches/ssl-nss-port/server

EmilienKia at Eaton.com EmilienKia at Eaton.com
Tue Jan 11 12:53:32 UTC 2011


 

	2011/1/10 Arjen de Korte <nut+devel at de-korte.org
<mailto:nut%2Bdevel at de-korte.org> >
	

		Citeren EmilienKia at Eaton.com:
		
		

			The main reason is to homogenize directive names
between apps (mainly upsmon which uses CERTPATH and upsd which uses
CERTNAME) to set the same property.
			

		Why? The use of CERTFILE (OpenSSL only) and
CERTPATH/CERTIDENT/CERTREQUEST (NSS only) is completely different. We
have nothing to gain by reducing the number of directives here, since we
will need different instructions on how to fill them anyway.
		
		Using different names will help us help people much more
easily, since the directives they see in upsd.conf will already tell us
if NUT was build to use the OpenSSL or NSS libraries.
		
		These should be surrounded by #ifdef/#endif directives
and make upsd complain loudly about directives it doesn't understand. So
if someone is accidentally using CERTFILE if NUT was build with NSS, it
should inform them right away (not when the certificate store is being
accessed). Similar the other way around. 
		
		

			About configuration directive, only
CERTFILE/CERTPATH change of content (a directory instead of a file) but
the semantic is kept unchanged. All other SSL related directives are
just for NSS mode. So generate different .conf.sample files is IMHO
disproportionate related to the too few alterations. Perhaps add few
lines of comment in these .conf.sample files?
			

		You forget about the amount of problems we will see when
people start switching over from OpenSSL to NSS. There is pretty much
nothing to gain by consolidating these directives into one. What's wrong
with
		
		# CERTFILE <certificate file> (OpenSSL only)
		# CERTFILE /usr/local/ups/etc/upsd.pem
		
		# CERTPATH <certificate directory> (NSS only)
		# CERTPATH /usr/local/ups/etc/cert/upsd
		
		# CERTIDENT <certificate name> <database password> (NSS
only)
		# CERTIDENT "my nut server" "MyPasSw0rD"
		
		# CERTREQUEST <certificate request level> (NSS only)
		# CERTREQUEST [0|1|2]
		#  - 0 to not request to clients to provide any
certificate
		#  - 1 to require to all clients a certificate
		#  - 2 to require to all clients a valid certificate
		
		valid points!
		
		Emilien, can you please adapt the code as per the above.
		I'll check how we can condition the conf sample and
highlight the SSL support type in the doc.
		
		 
		 


--------------------------------------------------------------------------
-------------- section suivante --------------
Une pi�ce jointe HTML a �t� enlev�e...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110111/cadd33ee/attachment.htm>


More information about the Nut-upsdev mailing list