[Nut-upsdev] [nut-commits] svn commit r2809 -branches/ssl-nss-port/server
Arjen de Korte
nut+devel at de-korte.org
Mon Jan 10 20:47:46 UTC 2011
Citeren EmilienKia op Eaton.com:
> The main reason is to homogenize directive names between apps
> (mainly upsmon which uses CERTPATH and upsd which uses CERTNAME) to
> set the same property.
Why? The use of CERTFILE (OpenSSL only) and
CERTPATH/CERTIDENT/CERTREQUEST (NSS only) is completely different. We
have nothing to gain by reducing the number of directives here, since
we will need different instructions on how to fill them anyway.
Using different names will help us help people much more easily, since
the directives they see in upsd.conf will already tell us if NUT was
build to use the OpenSSL or NSS libraries.
Throughout NUT we should maintain a clear distinction whether a
filename is needed (like CERTFILE) or a directory (STATEPATH, DATAPATH
> Note that the CERTFILE directive is working but is just flagged as
> As ssl support compilation is exclusive (only openssl or nss at the
> same time), I do not see any reason to keep two directives in
> parallel (one per compile profile) doing the same thing (pointing to
> the certificate database, in the form of a single file or a
These should be surrounded by #ifdef/#endif directives and make upsd
complain loudly about directives it doesn't understand. So if someone
is accidentally using CERTFILE if NUT was build with NSS, it should
inform them right away (not when the certificate store is being
accessed). Similar the other way around.
> About configuration directive, only CERTFILE/CERTPATH change of
> content (a directory instead of a file) but the semantic is kept
> unchanged. All other SSL related directives are just for NSS mode.
> So generate different .conf.sample files is IMHO disproportionate
> related to the too few alterations. Perhaps add few lines of comment
> in these .conf.sample files?
You forget about the amount of problems we will see when people start
switching over from OpenSSL to NSS. There is pretty much nothing to
gain by consolidating these directives into one. What's wrong with
# CERTFILE <certificate file> (OpenSSL only)
# CERTFILE /usr/local/ups/etc/upsd.pem
# CERTPATH <certificate directory> (NSS only)
# CERTPATH /usr/local/ups/etc/cert/upsd
# CERTIDENT <certificate name> <database password> (NSS only)
# CERTIDENT "my nut server" "MyPasSw0rD"
# CERTREQUEST <certificate request level> (NSS only)
# CERTREQUEST [0|1|2]
# - 0 to not request to clients to provide any certificate
# - 1 to require to all clients a certificate
# - 2 to require to all clients a valid certificate
At best we would add some autoconf magic to only include the parts
that are used (so that we don't clutter the configuration files with
directives that are not used), but for the time being the above might
be good enough.
I'm one of the old dogs around here and even I already have problems
setting this up (let alone the novice NUT users that try to make this
Best regards, Arjen
Please keep list traffic on the list (off-list replies will be rejected)
More information about the Nut-upsdev