[Nut-upsdev] TLS support in NUT

Roger Price roger at rogerprice.org
Mon May 24 23:27:23 BST 2021 

When writing the Internet-Draft (I-D) "UPS Management Protocol" [1], I was 
required by IETF rules to include a "Security Considerations" chapter.  This 
meant saying clearly that the SSL provisions in NUT for secure communication are 
now outdated and deprecated.

The IETF now insists on secure communication and this makes NUT's situation an 
issue for the project.

In order to encourage discussion of this issue I would like to propose an 
alternative to further work on upsd and the clients. I now have a working 
demonstration at https://github.com/networkupstools/TLS-Shims [2] of the TLS 
solution described in the I-D, and based on this demonstration, I would like to 
propose:

1. That NUT separate TLS support from the upsd and client daemons.  The 
advantage is that updates to TLS will not require modification of upsd or client 
code.

2. That since generation of server and client certificates is now becoming 
increasingly complicated, NUT provides a script which will produce a self-signed 
pair of certificates suitable for NUT server and clients.  An example
of such a script is included in the NUT TLS-Shims repository.

The demonstration scripts are written in a simple Python3.  They are not object 
oriented.  I recognize that use of Python introduces an additional language 
constraint into the project, but the large user base of Python means that 
support will be available, and that interfaces such as Python/OpenSSL will 
remain up-to-date. In early versions of NUT the C code was crafted not to 
generate undue cpu load, but now, processors are more than able to process the 
same function in Python.

The scripts are thoroughly documented in a new Part 2 to the Configuration 
Examples version 2.0.  In addition to Python's own error messages which are 
well done, the option -D provides detailed debugging output.

The alternative to separating the TLS support is either abandoning security, or 
having to maintain it inside NUT, with more frequent releases needed to keep up 
with the rapid evolution of encryption.

Roger

[1] https://www.ietf.org/archive/id/draft-rprice-ups-management-protocol-03.html
[2] Many thanks to Jim for the git wizardry which made this possible.

More information about the Nut-upsdev mailing list