EmilienKia at Eaton.com
2011-Jan-13 08:24 UTC
[Nut-upsdev] SSL certificate verification with OpenSSL in NUT trunk
Hi all, After client's certificate verifications discussion in the mailing-list, I have done some tests with nut trunk and - if my config is not too bad - I think ther is a bug with server certificate verification. With a clean trunk checkout, compile and installation; and with the following config : upsmon.conf: CERTPATH /usr/local/ups/etc/cert/ CERTVERIFY 1 FORCESSL 1 Upsd.conf: CERTFILE /usr/local/ups/etc/upsd1.pem And /usr/local/ups/etc/cert/ is empty (no file). When I start upsd and upsmon, there is a valid SSL connection between them. So, do I misunderstand CERTVERIFY directive ? Or is there a bug ? Can you reproduce such behaviour ? BR, Emilien --------------------------------------------------------------------------
Arjen de Korte
2011-Jan-13 11:34 UTC
[Nut-upsdev] SSL certificate verification with OpenSSL in NUT trunk
Citeren EmilienKia op Eaton.com:> With a clean trunk checkout, compile and installation; and with the > following config : > > upsmon.conf: > CERTPATH /usr/local/ups/etc/cert/ > CERTVERIFY 1 > FORCESSL 1First off, you're not supposed to use both CERTVERIFY and FORCESSL. FORCESSL is intended to be used in cases you can't verify the validity of a certificate, but still want to enforce the use of any presented. See the 'docs/ssl.txt' from the nut-2.4.3 branch (this file didn't make it into AsciiDoc).> So, do I misunderstand CERTVERIFY directive ? Or is there a bug ? > Can you reproduce such behaviour ?I'm not sure what is going on. Can you try running 'upsmon' with debugging enabled? The following are the results of my tests here. In all cases, the upsd server is running with a valid PositiveSSL certificate (so the root CA that signed this certificate is trusted without further configuration): upsmon.conf (valid): CERTPATH /etc/ssl/certs/ CERTVERIFY 1 #upsmon -DD Network UPS Tools upsmon 2.6.0-pre1-2819 0.000000 UPS: mge-usb op localhost (master) (power value 1) 0.000457 Using power down flag file /etc/killpower 0.000962 debug level is '2' 0.003348 Trying to connect to UPS [mge-usb op localhost] 0.024697 Logged into UPS mge-usb op localhost 0.025804 pollups: mge-usb op localhost [SSL] 0.026283 parse_status: [OL CHRG] ----------- upsmon.conf (demo CA, not the one that signed the server certificate): CERTPATH /etc/ssl/certs/demo CERTVERIFY 1 #upsmon -DD Network UPS Tools upsmon 2.6.0-pre1-2819 0.000000 UPS: mge-usb op localhost (master) (power value 1) 0.000465 Using power down flag file /etc/killpower 0.001071 debug level is '2' 0.003841 Trying to connect to UPS [mge-usb op localhost] 0.016105 Can't set username on [mge-usb op localhost]: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 5.016263 pollups: mge-usb op localhost 5.016345 Poll UPS [mge-usb op localhost] failed - Driver not connected 5.016368 do_notify: ntype 0x0005 (COMMBAD) 5.016402 Communications with UPS mge-usb op localhost lost 5.016771 Dropping connection to UPS [mge-usb op localhost] ----------- upsmon.conf (empty directory): CERTPATH /etc/ssl/certs/empty CERTVERIFY 1 # upsmon -DD Network UPS Tools upsmon 2.6.0-pre1-2819 0.000000 UPS: mge-usb op localhost (master) (power value 1) 0.000481 Using power down flag file /etc/killpower 0.000942 debug level is '2' 0.004245 Trying to connect to UPS [mge-usb op localhost] 0.016430 Can't set username on [mge-usb op localhost]: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 5.016599 pollups: mge-usb op localhost 5.016682 Poll UPS [mge-usb op localhost] failed - Driver not connected 5.016705 do_notify: ntype 0x0005 (COMMBAD) 5.016724 Communications with UPS mge-usb op localhost lost 5.017086 Dropping connection to UPS [mge-usb op localhost] ----------- So whatever I try, if a valid certificate is not found, upsmon doesn't seem to connect. Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected)