[Nut-upsuser] SSL only working in DEBUG mode

Melkor Lord melkor.lord at gmail.com
Sat Mar 21 16:06:39 UTC 2015

On Fri, Mar 20, 2015 at 4:40 PM, Emilien Kia <kiae.dev at gmail.com> wrote:

Some precisions:
> we are not alone, some projects had similar problem:
> http://bugs.bitlbee.org/bitlbee/ticket/785
> And the problem is really coming from NSS initialization. Discussion about
> the issue here : http://osdir.com/ml/mozilla.crypto/2002-08/msg00016.html

Wow! Congratulations on finding the source of the problem, I bet this
wasn't easy!

I'm glad to see that NUT isn't faulty :-)

> There is a workaround to use NSS with fork but it is more setting a flag
> to share some resources (primarily sockets) but must (re)initialize NSS
> library on all children.
> AFAIK why we initialize NSS library before becoming user and forking is to
> be able to access and read certificates and keys which is readable only by
> root and should not be readable in userland. This behavior is this because
> it was the behavior used when using OpenSSL. Modifying this behavior
> implies to modify key/certificate storage and acces right policy.

Well, NUT uses a dedicated unpriviledged user to run ("nut" in my case) so
why not initialize the SSL stuff after forking?

Before forking, just check that the SSL cert/key files belong to the same
user as the user which started "upsd" and throw an error message to the
logs if it's not the case to warn the user. Then it's your decision whether
to "disable SSL usage" and continue or refuse "upsd" execution if
conditions are not met.

If it's convenient, make this part NSS dependent with the usual #ifdef
spaghetti :-) to avoid influence on the OpenSSL code.

Unix _IS_ user friendly, it's just selective about who its friends are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20150321/573793c3/attachment.html>

More information about the Nut-upsuser mailing list