Nut upsdev - Sep 2022 - Fwd: [networkupstools/nut] Hide 'Init SSL without certificate database' message for upsc (PR #1662)

On Fri, 16 Sep 2022, Jim Klimov via Nut-upsdev wrote:
> Hello all,
> ? Here's a PR I want to ask community about: should NUT clients like
upsc report (log!) or hide the infamous 'Init SSL without certificate
> database' message?
> 
> ? On one hand, it is a reminder that the setup is insecure (plaintext
protocol, might be in an externally provided tunnel but we don't
> know that). On another, it is fairly annoying and if it does clutter
syslog/journal from cron jobs etc. - is also somewhat toxic (causes
> I/O, uses space) if deployment owner is not going to do anything about it
anyway for whatever reason (LAN, VPN, SSH tunnel...).
> 
> ? That PR proposes to hide the message by default, with debug level 1. One
alternative is to use debug level 0 so it always pops up on
> stderr like now, but does not hit the syslog.
It seems to me that the alternative, to use debug level 0 so that the message 
always appears on stderr but does not go to syslog, is the best compromise.

In modern times, plain text transmission is a weakness which should not be 
ignored.  If there is an external solution in place, e.g. a tunnel, then the 
call to upsc should accompanied by 2>/dev/null.

Currently the man page does not mention the stderr message.  Perhaps it should, 
together with a suggestion to use 2>/dev/null if the message is not relevant.

The reference to "SSL" could be replaced by "TLS".  All SSL
protocols are now
deprecated (as are TLS 1.0 and 1.1).

Roger

On September 16, 2022 11:08:09 AM GMT+03:00, Roger Price <roger at
rogerprice.org> wrote:
>On Fri, 16 Sep 2022, Jim Klimov via Nut-upsdev wrote:
>
>> Hello all,
>> ? Here's a PR I want to ask community about: should NUT clients
like upsc report (log!) or hide the infamous 'Init SSL without certificate
>> database' message?
>> 
>> ? On one hand, it is a reminder that the setup is insecure (plaintext
protocol, might be in an externally provided tunnel but we don't
>> know that). On another, it is fairly annoying and if it does clutter
syslog/journal from cron jobs etc. - is also somewhat toxic (causes
>> I/O, uses space) if deployment owner is not going to do anything about
it anyway for whatever reason (LAN, VPN, SSH tunnel...).
>> 
>> ? That PR proposes to hide the message by default, with debug level 1.
One alternative is to use debug level 0 so it always pops up on
>> stderr like now, but does not hit the syslog.
>
>It seems to me that the alternative, to use debug level 0 so that the
message always appears on stderr but does not go to syslog, is the best
compromise.
>
>In modern times, plain text transmission is a weakness which should not be
ignored.  If there is an external solution in place, e.g. a tunnel, then the
call to upsc should accompanied by 2>/dev/null.
>
>Currently the man page does not mention the stderr message.  Perhaps it
should, together with a suggestion to use 2>/dev/null if the message is not
relevant.
>
>The reference to "SSL" could be replaced by "TLS".  All
SSL protocols are now deprecated (as are TLS 1.0 and 1.1).
>

+1 to all of Roger's suggestions

wolfy
>Roger