No subject


Thu Jan 6 17:29:48 UTC 2011


If you don't use 'CERTVERIFY 1', then this will at least make sure that
nobody can sniff your sessions without a large effort (...)


>  So, do I misunderstand CERTVERIFY directive ? Or is there a bug ?
>> Can you reproduce such behaviour ?
>>
>
> I'm not sure what is going on. Can you try running 'upsmon' with debugging
> enabled? The following are the results of my tests here. In all cases, the
> upsd server is running with a valid PositiveSSL certificate (so the root CA
> that signed this certificate is trusted without further configuration):
> (...)
>

we've had some findings with Emilien in the meantime.
He's currently checking for a clean fix, so I'll let him describe the issue
and the possible fix.

cheers,
Arnaud
-- 
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/

--000325574bbef00cdf0499b95a8c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<br><div class=3D"gmail_quote">2011/1/13 Arjen de Korte <span dir=3D"ltr">&=
lt;<a href=3D"mailto:nut%2Bdevel at de-korte.org">nut+devel at de-korte.org</a>&g=
t;</span><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt=
 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Citeren EmilienKia at Eaton.com:<div class=3D"im"><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
With a clean trunk checkout, compile and installation; and with the<br>
following config :<br>
<br>
upsmon.conf:<br>
CERTPATH /usr/local/ups/etc/cert/<br>
CERTVERIFY 1<br>
FORCESSL 1<br>
</blockquote>
<br></div>
First off, you&#39;re not supposed to use both CERTVERIFY and FORCESSL. FOR=
CESSL is intended to be used in cases you can&#39;t verify the validity of =
a certificate, but still want to enforce the use of any presented. See the =
&#39;docs/ssl.txt&#39; from the nut-2.4.3 branch (this file didn&#39;t make=
 it into AsciiDoc).</blockquote>
<div><br>this file (ssl.txt) was merged into security.txt, part of the Asci=
iDoc rewrite:<br><a href=3D"http://new.networkupstools.org/docs/user-manual=
.chunked/ar01s09.html#_recommended_make_upsmon_verify_all_connections_with_=
certificates">http://new.networkupstools.org/docs/user-manual.chunked/ar01s=
09.html#_recommended_make_upsmon_verify_all_connections_with_certificates</=
a><br>
<br>that being said, CERTVERIFY and FORCESSL are not mutually exclusive, an=
d address 2 differents issue (ie authentication and data encryption). Docum=
entation simply states that FORCESSL guarantee that your data won&#39;t be =
sniffed, which is the bare minimum if you don&#39;t also use authentication=
.<br>
<br>From docs/security.txt:<br>If you don&#39;t use &#39;CERTVERIFY 1&#39;,=
 then this will at least make sure that nobody can sniff your sessions with=
out a large effort (...)<br><br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);=
 padding-left: 1ex;">
<div class=3D"im">
<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
So, do I misunderstand CERTVERIFY directive ? Or is there a bug ?<br>
Can you reproduce such behaviour ?<br>
</blockquote>
<br></div>
I&#39;m not sure what is going on. Can you try running &#39;upsmon&#39; wit=
h debugging enabled? The following are the results of my tests here. In all=
 cases, the upsd server is running with a valid PositiveSSL certificate (so=
 the root CA that signed this certificate is trusted without further config=
uration):<br>

(...)<br></blockquote></div><br>we&#39;ve had some findings with Emilien in=
 the meantime.<br>He&#39;s currently checking for a clean fix, so I&#39;ll =
let him describe the issue and the possible fix.<br clear=3D"all"><br>cheer=
s,<br>
Arnaud<br>-- <br>Linux / Unix Expert R&amp;D - Eaton - <a href=3D"http://po=
werquality.eaton.com" target=3D"_blank">http://powerquality.eaton.com</a><b=
r>Network UPS Tools (NUT) Project Leader - <a href=3D"http://www.networkups=
tools.org/" target=3D"_blank">http://www.networkupstools.org/</a><br>
Debian Developer - <a href=3D"http://www.debian.org" target=3D"_blank">http=
://www.debian.org</a><br>Free Software Developer - <a href=3D"http://arnaud=
.quette.free.fr/" target=3D"_blank">http://arnaud.quette.free.fr/</a><br><b=
r>

--000325574bbef00cdf0499b95a8c--



More information about the Nut-upsdev mailing list