[Nut-upsdev] TLS support in NUT

Roger Price roger at rogerprice.org
Tue Jun 15 10:54:50 BST 2021

On Sun, 13 Jun 2021, Manuel Wolfshant wrote:

> 1. There are miriad of scripts written on top of openssl and certutil that 
> allow implementing a CA and issuance of certificates, with easy-rsa probably 
> leading the lot ...
> 2. nut can be very nicely wrapped behind stunnel if a point to point 
> connection between master and slaves is needed. ... . Therefore, from my point 
> of view, even if the python shim approach is smart and nice, I do not see it 
> as being really needed.

The I-D has to have a Security Considerations chapter, and that chapter has to 
talk about secure communication.  The shims described in the I-D are a very 
simple, stand-alone solution, and the implementation in upsdTLS.py and 
upsmonTLS.py provides a demonstration of what the I-D says. Nothing in the I-D 
says you have to use them: stunnel should be seen as the equivalent of "shims".

> A link to stunnel and an example included in the docs would do 
> just as well.

A volunteer to write that doc step forwards!

Is stunnel maintained?  Their tutorial at https://www.stunnel.org/howto.html was 
last updated in August 2019, but it still talks about TCP wrappers for which the 
last stable release 7.6 was by Wietse Venema himself April 08, 1997.

> With all due respect, the shim idea looks to me like a "not 
> invented here" approach. To be clear: I am not opposed to it but I would 
> certainly not use it when "yum install stunnel / apt install stunnel" are 
> available.

I use the upsd shim to run my own upsmon which insists on 
TLS 1.3.  Hopefully with the next release of NUT, it wont be needed.

> 3. Last but not least, for anyone with low to moderate knowledge, letsencrypt 
> takes minutes to setup and use and has the advantage of not requiring 
> anything but running their script every 3 months.

Never overestimate a client!   I was called to a NUT installation which had just 
been hit by lightning.  This was an expensive on-line model, but I couldn't find 

  Q: Where is the UPS?
  A: We threw it away.
  Q: Why?
  A: It stopped working.
  Q: Did you try resetting the circuit breaker button?
  A: What button?


More information about the Nut-upsdev mailing list