[Nut-upsdev] SSL certificate verification with OpenSSL in NUT trunk

Arjen de Korte nut+devel at de-korte.org
Thu Jan 13 11:34:35 UTC 2011 

Citeren EmilienKia op Eaton.com:

> With a clean trunk checkout, compile and installation; and with the
> following config :
>
> upsmon.conf:
> CERTPATH /usr/local/ups/etc/cert/
> CERTVERIFY 1
> FORCESSL 1

First off, you're not supposed to use both CERTVERIFY and FORCESSL.  
FORCESSL is intended to be used in cases you can't verify the validity  
of a certificate, but still want to enforce the use of any presented.  
See the 'docs/ssl.txt' from the nut-2.4.3 branch (this file didn't  
make it into AsciiDoc).

> So, do I misunderstand CERTVERIFY directive ? Or is there a bug ?
> Can you reproduce such behaviour ?

I'm not sure what is going on. Can you try running 'upsmon' with  
debugging enabled? The following are the results of my tests here. In  
all cases, the upsd server is running with a valid PositiveSSL  
certificate (so the root CA that signed this certificate is trusted  
without further configuration):

upsmon.conf (valid):
     CERTPATH /etc/ssl/certs/
     CERTVERIFY 1

#upsmon -DD
Network UPS Tools upsmon 2.6.0-pre1-2819
    0.000000     UPS: mge-usb op localhost (master) (power value 1)
    0.000457     Using power down flag file /etc/killpower
    0.000962     debug level is '2'
    0.003348     Trying to connect to UPS [mge-usb op localhost]
    0.024697     Logged into UPS mge-usb op localhost
    0.025804     pollups: mge-usb op localhost [SSL]
    0.026283     parse_status: [OL CHRG]
-----------
upsmon.conf (demo CA, not the one that signed the server certificate):
     CERTPATH /etc/ssl/certs/demo
     CERTVERIFY 1

#upsmon -DD
Network UPS Tools upsmon 2.6.0-pre1-2819
    0.000000     UPS: mge-usb op localhost (master) (power value 1)
    0.000465     Using power down flag file /etc/killpower
    0.001071     debug level is '2'
    0.003841     Trying to connect to UPS [mge-usb op localhost]
    0.016105     Can't set username on [mge-usb op localhost]: SSL error:  
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
verify failed
    5.016263     pollups: mge-usb op localhost
    5.016345     Poll UPS [mge-usb op localhost] failed - Driver not connected
    5.016368     do_notify: ntype 0x0005 (COMMBAD)
    5.016402     Communications with UPS mge-usb op localhost lost
    5.016771     Dropping connection to UPS [mge-usb op localhost]
-----------
upsmon.conf (empty directory):
     CERTPATH /etc/ssl/certs/empty
     CERTVERIFY 1

# upsmon -DD
Network UPS Tools upsmon 2.6.0-pre1-2819
    0.000000     UPS: mge-usb op localhost (master) (power value 1)
    0.000481     Using power down flag file /etc/killpower
    0.000942     debug level is '2'
    0.004245     Trying to connect to UPS [mge-usb op localhost]
    0.016430     Can't set username on [mge-usb op localhost]: SSL error:  
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
verify failed
    5.016599     pollups: mge-usb op localhost
    5.016682     Poll UPS [mge-usb op localhost] failed - Driver not connected
    5.016705     do_notify: ntype 0x0005 (COMMBAD)
    5.016724     Communications with UPS mge-usb op localhost lost
    5.017086     Dropping connection to UPS [mge-usb op localhost]
-----------


So whatever I try, if a valid certificate is not found, upsmon doesn't  
seem to connect.

Best regards, Arjen
-- 
Please keep list traffic on the list (off-list replies will be rejected)

More information about the Nut-upsdev mailing list