2011/1/13 Arjen de Korte <nut+de...@de-korte.org <nut%2bde...@de-korte.org>>
> Citeren emilien...@eaton.com: > > > With a clean trunk checkout, compile and installation; and with the >> following config : >> >> upsmon.conf: >> CERTPATH /usr/local/ups/etc/cert/ >> CERTVERIFY 1 >> FORCESSL 1 >> > > First off, you're not supposed to use both CERTVERIFY and FORCESSL. > FORCESSL is intended to be used in cases you can't verify the validity of a > certificate, but still want to enforce the use of any presented. See the > 'docs/ssl.txt' from the nut-2.4.3 branch (this file didn't make it into > AsciiDoc). this file (ssl.txt) was merged into security.txt, part of the AsciiDoc rewrite: http://new.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_recommended_make_upsmon_verify_all_connections_with_certificates that being said, CERTVERIFY and FORCESSL are not mutually exclusive, and address 2 differents issue (ie authentication and data encryption). Documentation simply states that FORCESSL guarantee that your data won't be sniffed, which is the bare minimum if you don't also use authentication. >From docs/security.txt: If you don't use 'CERTVERIFY 1', then this will at least make sure that nobody can sniff your sessions without a large effort (...) > So, do I misunderstand CERTVERIFY directive ? Or is there a bug ? >> Can you reproduce such behaviour ? >> > > I'm not sure what is going on. Can you try running 'upsmon' with debugging > enabled? The following are the results of my tests here. In all cases, the > upsd server is running with a valid PositiveSSL certificate (so the root CA > that signed this certificate is trusted without further configuration): > (...) > we've had some findings with Emilien in the meantime. He's currently checking for a clean fix, so I'll let him describe the issue and the possible fix. cheers, Arnaud -- Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/ Debian Developer - http://www.debian.org Free Software Developer - http://arnaud.quette.free.fr/
_______________________________________________ Nut-upsdev mailing list Nut-upsdev@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
