[Nut-upsdev] [nut-commits] svn commit r2809-branches/ssl-nss-port/server

EmilienKia at Eaton.com EmilienKia at Eaton.com
Tue Jan 11 12:58:10 UTC 2011 

 



	
	
	
	2011/1/10 Arjen de Korte <nut+devel at de-korte.org
<mailto:nut%2Bdevel at de-korte.org> >
	

		Citeren EmilienKia at Eaton.com:
		
		

			The main reason is to homogenize directive names
between apps (mainly upsmon which uses CERTPATH and upsd which uses
CERTNAME) to set the same property.
			

		Why? The use of CERTFILE (OpenSSL only) and
CERTPATH/CERTIDENT/CERTREQUEST (NSS only) is completely different. We
have nothing to gain by reducing the number of directives here, since we
will need different instructions on how to fill them anyway.
		
		Using different names will help us help people much more
easily, since the directives they see in upsd.conf will already tell us
if NUT was build to use the OpenSSL or NSS libraries.
		
		

			As ssl support compilation is exclusive (only
openssl or nss at the same time), I do not see any reason to keep two
directives in parallel (one per compile profile) doing the same thing
(pointing to the certificate database, in the form of a single file or a
directory).
			

		These should be surrounded by #ifdef/#endif directives
and make upsd complain loudly about directives it doesn't understand. So
if someone is accidentally using CERTFILE if NUT was build with NSS, it
should inform them right away (not when the certificate store is being
accessed). Similar the other way around.
		
		

			About configuration directive, only
CERTFILE/CERTPATH change of content (a directory instead of a file) but
the semantic is kept unchanged. All other SSL related directives are
just for NSS mode. So generate different .conf.sample files is IMHO
disproportionate related to the too few alterations. Perhaps add few
lines of comment in these .conf.sample files?
			

		You forget about the amount of problems we will see when
people start switching over from OpenSSL to NSS. There is pretty much
nothing to gain by consolidating these directives into one. What's wrong
with
		
		# CERTFILE <certificate file> (OpenSSL only)
		# CERTFILE /usr/local/ups/etc/upsd.pem
		
		# CERTPATH <certificate directory> (NSS only)
		# CERTPATH /usr/local/ups/etc/cert/upsd
		
		# CERTIDENT <certificate name> <database password> (NSS
only)
		# CERTIDENT "my nut server" "MyPasSw0rD"
		
		# CERTREQUEST <certificate request level> (NSS only)
		# CERTREQUEST [0|1|2]
		#  - 0 to not request to clients to provide any
certificate
		#  - 1 to require to all clients a certificate
		#  - 2 to require to all clients a valid certificate
		
		valid points!
		
		Emilien, can you please adapt the code as per the above.
		I'll check how we can condition the conf sample and
highlight the SSL support type in the doc.
		
		

Done in r2817.
 
What about CERTPATH in upsmon.conf ?
 
BR
Emilien
 
 
PS : 
It seems f#####k Outlook send this message without my response, really
sorry for the noise.

--------------------------------------------------------------------------
-------------- section suivante --------------
Une pi�ce jointe HTML a �t� enlev�e...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110111/f794ed59/attachment.htm>

More information about the Nut-upsdev mailing list