Roger Price
2020-Nov-11 20:44 UTC
[Nut-upsdev] TLS, was [IANA #1182277] AutoReply: Port Number (3493) Modification
On Wed, 11 Nov 2020, Jim Klimov wrote:> I agree with you. Probably similar could be done with stunnel, to avoid > maintaining in NUT a fast moving target of modern cryptography. And indeed it > may be better in terms of switching real deployments to new protocols if old > ones are deemed insecure, with implementations made by people hopefully better > knowledgeable about the nuances involved, and/or just more exposed to discover > and fix security bugs faster.Python3 provides a very thin wrapper around openSSL's TLS. This exposes the default openSSL options which automatically call for the most recent version of TLS and reject the old deprecated SSL versions. This simplifies maintenance. The certificates which are also created using a thin Python3 wrapper around openSSL also benefit from the default "most secure" options. However it is essential to read RFC 5280 (Internet X.509 Public Key Infrastructure Certificate), and presumably whatever will replace it in a couple of years.> One of my later points was that a dedicated solution (here SSL wrapper) on a > dedicated port may be also a limiting factor. If a dialog is expected to start > in a specific crypto protocol mode,The openSSL dialog starts using the default "most secure" options, but without specifying them. Working out the details is for openSSL.> it may be problematic to talk a completely different protocol on the same port > in the future. STARTTLS or similar approaches elude that, by talking initially > in a future-proof (e.g. plaintext) protocol and there agreeing on capabilities > and desires of the sides.> That said, a crypto protocol designed to be extensible might avoid that too. > Given how the web or SMTPS iterated through generations of SSL and TLS, it may > be not a bottleneck either. > > Jim> > On Wed, Nov 11, 2020, 17:28 Roger Price <roger at rogerprice.org> wrote: > On Wed, 11 Nov 2020, Jim Klimov wrote: > > > Interesting, thanks. > > But given the limited amount of port numbers, in IANA's shoes I'd suggest to consider enabling STARTTLS (like in SMTP) so switching into > security mode > > could be negotiated in a single-port dialog. Especially as NUT protocol is text-based similarly. > > > > Back in my ISP providering days, we had similar paperwork to prove to self and others why we need the limited resource of more IPv4 address > ranges. > > > > I suppose for STARTTLS we could inspire from sendmail or other such daemons. > > > > Would that make sense to you? It is likely more complex than hardcoding the default port for SSL wrapping, if we are easily given one. But > still it may be > > more simple to manage (think firewall rules) too... And potentially more extensible to dynamically switch into more future protocol > versions. > > NUT is a mature project which will continue to advance at a "mature" speed. > However TLS moves quickly and in little time previous versions are deprecated > and refused. I wrote a thin daemon to sit next to upsd which receives TLS > encoded traffic on port 401 at the latest security level, and relays it to upsd > on port 3493. It currently runs on Debian and openSUSE, and seems to me to be a > way in which NUT could meet all network security obligations, without upsetting > the regular development cycle. For such an approach, two ports are essential. > > Roger
Roger Price
2020-Nov-12 16:30 UTC
[Nut-upsdev] TLS, was [IANA #1182277] AutoReply: Port Number (3493) Modification
On Wed, 11 Nov 2020, Roger Price wrote:> I have written to the IT department at the University of Ohio about assignment > of ups/401, and documentation of the protocol. The assignee, Charles Bennett, > worked for the U of Ohio chemistry department when ups/401 was registered. > He died in 2015. I have yet to get a reply from the IT people.> If I don't get a reply I will call Keith Brock IT Support Senior Specialist, > but I don't expect much. I'm sure ups/401 is dead but I need an > acknowledgement of that from Ohio before proposing anything to you.I've just called Keith Brock. I said who I was, and then said "I am calling you about IANA port 401 which I believe is assigned to the University of Ohio." He promptly hung up on me, so not only is there no contact point, but I guess port 401 is thoroughly dead. Roger
Reasonably Related Threads
- [IANA #1182277] Port Number (3493) Modification
- IANA ups/401
- Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Re: Dialtone when automatically picking up.
- Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Re: Dialtone when automatically picking up.
- Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Autoreply: Re: Dialtone when automatically picking up.