[Nut-upsdev] TLS support in NUT
Roger Price
roger at rogerprice.org
Tue Jun 15 10:54:50 BST 2021
On Sun, 13 Jun 2021, Manuel Wolfshant wrote:
> 1. There are miriad of scripts written on top of openssl and certutil that
> allow implementing a CA and issuance of certificates, with easy-rsa probably
> leading the lot ...
>
> 2. nut can be very nicely wrapped behind stunnel if a point to point
> connection between master and slaves is needed. ... . Therefore, from my point
> of view, even if the python shim approach is smart and nice, I do not see it
> as being really needed.
The I-D has to have a Security Considerations chapter, and that chapter has to
talk about secure communication. The shims described in the I-D are a very
simple, stand-alone solution, and the implementation in upsdTLS.py and
upsmonTLS.py provides a demonstration of what the I-D says. Nothing in the I-D
says you have to use them: stunnel should be seen as the equivalent of "shims".
> A link to stunnel and an example included in the docs would do
> just as well.
A volunteer to write that doc step forwards!
Is stunnel maintained? Their tutorial at https://www.stunnel.org/howto.html was
last updated in August 2019, but it still talks about TCP wrappers for which the
last stable release 7.6 was by Wietse Venema himself April 08, 1997.
> With all due respect, the shim idea looks to me like a "not
> invented here" approach. To be clear: I am not opposed to it but I would
> certainly not use it when "yum install stunnel / apt install stunnel" are
> available.
I use the upsd shim to run my own upsmon which insists on
TLS 1.3. Hopefully with the next release of NUT, it wont be needed.
> 3. Last but not least, for anyone with low to moderate knowledge, letsencrypt
> takes minutes to setup and use and has the advantage of not requiring
> anything but running their script every 3 months.
Never overestimate a client! I was called to a NUT installation which had just
been hit by lightning. This was an expensive on-line model, but I couldn't find
it.
Q: Where is the UPS?
A: We threw it away.
Q: Why?
A: It stopped working.
Q: Did you try resetting the circuit breaker button?
A: What button?
Roger
More information about the Nut-upsdev
mailing list