[Nut-upsdev] SSL certificate verification with OpenSSL in NUT trunk

Arnaud Quette aquette.dev at gmail.com
Thu Jan 13 12:21:20 UTC 2011


2011/1/13 Arjen de Korte <nut+devel at de-korte.org <nut%2Bdevel at de-korte.org>>

> Citeren EmilienKia at Eaton.com:
>
>
>  With a clean trunk checkout, compile and installation; and with the
>> following config :
>>
>> upsmon.conf:
>> CERTPATH /usr/local/ups/etc/cert/
>> CERTVERIFY 1
>> FORCESSL 1
>>
>
> First off, you're not supposed to use both CERTVERIFY and FORCESSL.
> FORCESSL is intended to be used in cases you can't verify the validity of a
> certificate, but still want to enforce the use of any presented. See the
> 'docs/ssl.txt' from the nut-2.4.3 branch (this file didn't make it into
> AsciiDoc).


this file (ssl.txt) was merged into security.txt, part of the AsciiDoc
rewrite:
http://new.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_recommended_make_upsmon_verify_all_connections_with_certificates

that being said, CERTVERIFY and FORCESSL are not mutually exclusive, and
address 2 differents issue (ie authentication and data encryption).
Documentation simply states that FORCESSL guarantee that your data won't be
sniffed, which is the bare minimum if you don't also use authentication.



More information about the Nut-upsdev mailing list