[Nut-upsdev] TLS support in NUT

Manuel Wolfshant wolfy at nobugconsulting.ro
Tue Jun 15 13:57:13 BST 2021 

On 6/15/21 12:54 PM, Roger Price wrote:
> On Sun, 13 Jun 2021, Manuel Wolfshant wrote:
>
>> 1. There are miriad of scripts written on top of openssl and certutil 
>> that allow implementing a CA and issuance of certificates, with 
>> easy-rsa probably leading the lot ...
>>
>> 2. nut can be very nicely wrapped behind stunnel if a point to point 
>> connection between master and slaves is needed. ... . Therefore, from 
>> my point of view, even if the python shim approach is smart and nice, 
>> I do not see it as being really needed.
>
> The I-D has to have a Security Considerations chapter, and that 
> chapter has to talk about secure communication.

I see no problem with that. Are we allowed to say something along: "The 
communication between the components of nut is not itself encrypted. In 
the cases where additional security measures are needed, the 
communication can be encrypted as described in < here follows a document 
that includes the stunnel documentation for daemon mode adapted for 
wrapping upsd and, eventually, all the considerations about using 
certificates ; links to letsencrypt and easy-rsa could be provided as 
well >" ?


> The shims described in the I-D are a very simple, stand-alone 
> solution, and the implementation in upsdTLS.py and upsmonTLS.py 
> provides a demonstration of what the I-D says. Nothing in the I-D says 
> you have to use them: stunnel should be seen as the equivalent of 
> "shims".
>
>> A link to stunnel and an example included in the docs would do just 
>> as well.
>
> A volunteer to write that doc step forwards!

If no one else does it, I might give it a stab. I already took a peek at 
http://rogerprice.org/ISE-comments-2021-06-14.txtand most of the 
comments from the first half seem easy fixes. I cannot make any promises 
though because I am in the middle of 3 major $$WORK related projects.


>
> Is stunnel maintained?  Their tutorial at 
> https://www.stunnel.org/howto.html was last updated in August 2019, 
> but it still talks about TCP wrappers for which the last stable 
> release 7.6 was by Wietse Venema himself April 08, 1997.

RedHat included stunnel in CentOS Stream 8 which means it will be part 
of RHEL 9 which is not yet launched. That would mean "maintained enough" 
for me but I checked at pkgs.org and there are recent packages for 
absolutely all linux distributions as well as for FreeBSD and OpenWRT. 
On top of that, most recent entry from 
https://www.stunnel.org/downloads.html lists latest stable versions 
released on May 9th 2021 and betas from May 28th 2021.

Despite being deprecated, TCP Wrappers is still available in RHEL 7 / 
CentOS 7 for at least until their respective EOL ( June 30, 2026 / June 
30, 2024 ) so I do not see any issue at all in having stunnel 
referencing them in the docs. https://access.redhat.com/node/4082531 ( 
the list of RHEL 7 packages that will be maintained for the extended 
life of RHEL 7, past its regular life ) even includes TCP wrappers in 
the list.


>
>> With all due respect, the shim idea looks to me like a "not invented 
>> here" approach. To be clear: I am not opposed to it but I would 
>> certainly not use it when "yum install stunnel / apt install stunnel" 
>> are available.
>
> I use the upsd shim to run my own upsmon which insists on TLS 1.3.  
> Hopefully with the next release of NUT, it wont be needed.
>
>> 3. Last but not least, for anyone with low to moderate knowledge, 
>> letsencrypt takes minutes to setup and use and has the advantage of 
>> not requiring anything but running their script every 3 months.
>
> Never overestimate a client!   I was called to a NUT installation 

which means that they were wise enough to call a competent person. that 
enough is a step in the right direction


> which had just been hit by lightning.  This was an expensive on-line 
> model, but I couldn't find it.
>
>  Q: Where is the UPS?
>  A: We threw it away.
>  Q: Why?
>  A: It stopped working.
>  Q: Did you try resetting the circuit breaker button?
>  A: What button?
>
Been there, done that :)

Small client ( company with 5-6 people ) talking on the phone with me ( 
representing their ISP ). The policy at the time mandated that "business 
clients" bypassed 1st level support and were routed directed to the core 
admins. The client below had their ADSL line and linux installed by 
yours truly so by matter of coincidence, I was pretty intimate with the 
setup from inside their company. Mr X referenced below was their manager.

Client: We cannot connect to internet

Me, after verifying the ADSL line and their ADSL router: Your ADSL line 
is OK but I cannot reach your linux router

C: What's that ?

Me: A PC which runs linux and should be always on. I installed it for 
you 3 months ago

C: Where is it ?

Me: In Mr's X office

C: Oh, I think we turn it off a few days ago, it was uselessly running. 
It did not even have a monitor or keyboard attached to it.

More information about the Nut-upsdev mailing list