Arjen de Korte
2010-Nov-28 18:25 UTC
[Nut-upsdev] [nut-commits] svn commit r2708 - in branches/ssl-nss-port: clients m4 server
Citeren Arjen de Korte <adkorte-guest op alioth.debian.org>:> Log: > Use the 'nss_compat_ossl' compatibility layer to use the Mozilla NSS > library instead of OpenSSL (we might want to include native support > in the future, but this will at least allow a quick migration for > testing purposes)I don't recall that we ever discussed the possibility of adding NSS support by using the 'nss_compat_ossl' OpenSSL compatibility layer. Just to be sure, I added this to see if this is a workable solution. On my (openSUSE) system this seems to build without problems. Having said that, I'm not sure how future proof this will be. It could be that in the end we want to use the native NSS functions instead. I didn't spend any time on this (and have no desire to do so either) so I have no idea how much work that would be (but maybe our new team member Emilien can work this out). Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected)
Arjen de Korte
2010-Nov-28 19:32 UTC
[Nut-upsdev] [nut-commits] svn commit r2708 - in branches/ssl-nss-port: clients m4 server
Citeren Arjen de Korte <nut+devel op de-korte.org>:> I don't recall that we ever discussed the possibility of adding NSS > support by using the 'nss_compat_ossl' OpenSSL compatibility layer. > Just to be sure, I added this to see if this is a workable solution. > On my (openSUSE) system this seems to build without problems.Note that I intentionally wrote 'build without problems'. So far, I haven't been able to successfully run the upsd server with NSS instead of OpenSSL. Most likely this is due to not understanding how the certificate system works with NSS. At the moment, the SSL_init_library() call bombs out rather ungracefully with exit(1) (no error message logged). Most likely, the underlying NSS_Init(certDir) call fails. I guess I need to setup a certificate store (?) somehow. And we'll sure need to make this a more descriptive error message... :-) Best regards, Arjen PS Steep learning curve ahead... :-) -- Please keep list traffic on the list (off-list replies will be rejected)
Charles Lepple
2010-Nov-29 03:38 UTC
[Nut-upsdev] [nut-commits] svn commit r2708 - in branches/ssl-nss-port: clients m4 server
On Nov 28, 2010, at 1:25 PM, Arjen de Korte wrote:> I don't recall that we ever discussed the possibility of adding NSS > support by using the 'nss_compat_ossl' OpenSSL compatibility layer. > Just to be sure, I added this to see if this is a workable solution. > On my (openSUSE) system this seems to build without problems.Arjen, I haven't found where that compatibility layer might be hiding in Ubuntu/Debian. Looks like I might be able to just download and build the tarball, though, since Ubuntu 8.04 has NSS 3.12.8: http://rcritten.fedorapeople.org/nss_compat_ossl.html -- Charles Lepple
Arnaud Quette
2010-Nov-30 12:58 UTC
[Nut-upsdev] [nut-commits] svn commit r2708 - in branches/ssl-nss-port: clients m4 server
2010/11/28 Arjen de Korte <nut+devel at de-korte.org <nut%2Bdevel at de-korte.org>>> Citeren Arjen de Korte <adkorte-guest at alioth.debian.org>: > > > Log: >> Use the 'nss_compat_ossl' compatibility layer to use the Mozilla NSS >> library instead of OpenSSL (we might want to include native support in the >> future, but this will at least allow a quick migration for testing purposes) >> > > I don't recall that we ever discussed the possibility of adding NSS support > by using the 'nss_compat_ossl' OpenSSL compatibility layer. Just to be sure, > I added this to see if this is a workable solution. On my (openSUSE) system > this seems to build without problems. > > Having said that, I'm not sure how future proof this will be. It could be > that in the end we want to use the native NSS functions instead. I didn't > spend any time on this (and have no desire to do so either) so I have no > idea how much work that would be (but maybe our new team member Emilien can > work this out). >considering the availability of nss-compat vs. nss, I doubt it's a good idea to go this way. Emilien has made a few tests on Debian based system, and the conclusion are clearly in favor of nss (ie not compat). though the underlying idea of nss-compat was good, it seems not that people / distro have adhered to this approach. I've asked Emilien to concentrate on a native nss implementation. FYI, his first investigation seems to show that implementation won't be the hardest part, but documentation and setup will... It also seems, after an update round on my side, that the standardization on nss pushed by Fedora and Suse has not yet made its way. cheers, Arnaud -- Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/ Debian Developer - http://www.debian.org Free Software Developer - http://arnaud.quette.free.fr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20101130/74734964/attachment.htm>
Seemingly Similar Threads
- Announce: new team member (to work on Mozilla NSS port)
- [nut-commits] svn commit r2809 - branches/ssl-nss-port/server
- [nut-commits] svn commit r2804 - in branches/ssl-nss-port: clients server
- NSS support in trunk (was: NSS branch pull request)
- [nut-commits] svn commit r2706 - in branches/ssl-nss-port: . clients docs m4 server