[Nut-upsdev] NSS branch testing.

Michal Hlavinka mhlavink at redhat.com
Thu Sep 6 13:16:46 UTC 2012


On 08/14/2012 11:49 AM, Arnaud Quette wrote:
> Hi Rob
>
> I'm taking over the answer, since Emilien (the coder) is on vacation...
> Though he kindly took 5 mn to give me the rationales needed.
>
> 2012/8/10 Rob Crittenden <rcrit at greyoak.com <mailto:rcrit at greyoak.com>>
>
>     FredericBohe at Eaton.com wrote:
>
>         Hello all,
>
>         In order to prepare the merge of the NSS branch to the trunk, I
>         have validated the code in this branch by passing this
>         validation document written by Emilien Kia :
>
>         http://www.networkupstools.__org/tmp/NUT-NSS_Mini_DVT_Plan-__final.pdf
>         <http://www.networkupstools.org/tmp/NUT-NSS_Mini_DVT_Plan-final.pdf>
>
>         The testing has been done on rev 3685 of the ssl-nss-port branch.
>         As you can read, I have found no issue.
>
>         Let me know if you have any comments on this.
>
>
>     What is the value of creating two CA's? If you have one
>     infrastructure, why not have one CA and issue all certificates from
>     that one CA?
>
>
> there are 2 CA for testing purposes of cascaded certificates and CA.
> Refer to tests 3.3.3.1 to 3.3.3.4 for the end results, you will see that
> CA2 cause failures (as expected).
>
>     You should also check for the existence of NSPR in NUT_CHECK_LIBNSS,
>     especially since you've hardcoded those libraries as a fallback.
>
>
> valid, I've added it to the TODO list, for post merge.
>
>     It isn't clear, can you have an NSS database with no password set?
>
>
> not sure.
> As per Emilien's comment, this passwd may be used to encrypt the DB.
> Thus, no passwd would either mean that the DB is not accessible (if
> password is mandatory) or not encrypted.
>
>     In server/netssl.c::nss_error you use a buffer of size SMALLBUF and
>     in ssl_error 256. Why the difference?
>
>
> error on the coder side. I've also added it to the TODO list, for post
> merge.
> though I'm not yet sure which one is the more suitable (not looked at
> the code).
>
>     The NSS code looks good to me.
>
>
> thanks, I like to have tons of eyes looking
>
> @Rob & Michal: side question, what's the NSS status in RedHat? Do you
> see anything more we can do in NUT to improve the upcoming NSS / NUT
> integration?

Hi Arnaud,

the NSS status is quite complicated. There were/are a lot of tools that 
needs to be converted to use nss. The work was (and still is) slow, but
we needed certification sooner. So there was another work - to make
openssl get fips certification. As a result of openssl fips 
certification, priority of nss changes got lower. That's all brief info 
I have. This all is security team's work, so I don't get too much 
information.



More information about the Nut-upsdev mailing list