Nut upsdev - Nov 2010 - [nut-commits] svn commit r2708 - in branches/ssl-nss-port: clients m4 server

Citeren Arjen de Korte <adkorte-guest op alioth.debian.org>:
> Log:
> Use the 'nss_compat_ossl' compatibility layer to use the Mozilla
NSS
> library instead of OpenSSL (we might want to include native support  
> in the future, but this will at least allow a quick migration for  
> testing purposes)
I don't recall that we ever discussed the possibility of adding NSS  
support by using the 'nss_compat_ossl' OpenSSL compatibility layer.  
Just to be sure, I added this to see if this is a workable solution.  
On my (openSUSE) system this seems to build without problems.

Having said that, I'm not sure how future proof this will be. It could  
be that in the end we want to use the native NSS functions instead. I  
didn't spend any time on this (and have no desire to do so either) so  
I have no idea how much work that would be (but maybe our new team  
member Emilien can work this out).

Best regards, Arjen
-- 
Please keep list traffic on the list (off-list replies will be rejected)

Citeren Arjen de Korte <nut+devel op de-korte.org>:
> I don't recall that we ever discussed the possibility of adding NSS  
> support by using the 'nss_compat_ossl' OpenSSL compatibility layer.
> Just to be sure, I added this to see if this is a workable solution.  
> On my (openSUSE) system this seems to build without problems.
Note that I intentionally wrote 'build without problems'. So far, I  
haven't been able to successfully run the upsd server with NSS instead  
of OpenSSL. Most likely this is due to not understanding how the  
certificate system works with NSS. At the moment, the  
SSL_init_library() call bombs out rather ungracefully with exit(1) (no  
error message logged). Most likely, the underlying NSS_Init(certDir)  
call fails. I guess I need to setup a certificate store (?) somehow.  
And we'll sure need to make this a more descriptive error message... :-)

Best regards, Arjen

PS Steep learning curve ahead... :-)
-- 
Please keep list traffic on the list (off-list replies will be rejected)

On Nov 28, 2010, at 1:25 PM, Arjen de Korte wrote:
> I don't recall that we ever discussed the possibility of adding NSS  
> support by using the 'nss_compat_ossl' OpenSSL compatibility layer.
> Just to be sure, I added this to see if this is a workable solution.  
> On my (openSUSE) system this seems to build without problems.
Arjen,

I haven't found where that compatibility layer might be hiding in  
Ubuntu/Debian. Looks like I might be able to just download and build  
the tarball, though, since Ubuntu 8.04 has NSS 3.12.8:

http://rcritten.fedorapeople.org/nss_compat_ossl.html

-- 
Charles Lepple

2010/11/28 Arjen de Korte <nut+devel at de-korte.org <nut%2Bdevel at
de-korte.org>
>
> Citeren Arjen de Korte <adkorte-guest at alioth.debian.org>:
>
>
>  Log:
>> Use the 'nss_compat_ossl' compatibility layer to use the
Mozilla NSS
>> library instead of OpenSSL (we might want to include native support in
the
>> future, but this will at least allow a quick migration for testing
purposes)
>>
>
> I don't recall that we ever discussed the possibility of adding NSS
support
> by using the 'nss_compat_ossl' OpenSSL compatibility layer. Just to
be sure,
> I added this to see if this is a workable solution. On my (openSUSE) system
> this seems to build without problems.
>
> Having said that, I'm not sure how future proof this will be. It could
be
> that in the end we want to use the native NSS functions instead. I
didn't
> spend any time on this (and have no desire to do so either) so I have no
> idea how much work that would be (but maybe our new team member Emilien can
> work this out).
>
considering the availability of nss-compat vs. nss, I doubt it's a good idea
to go this way.
Emilien has made a few tests on Debian based system, and the conclusion are
clearly in favor of nss (ie not compat).

though the underlying idea of nss-compat was good, it seems not that people
/ distro have adhered to this approach.
I've asked Emilien to concentrate on a native nss implementation.

FYI, his first investigation seems to show that implementation won't be the
hardest part, but documentation and setup will...
It also seems, after an update round on my side, that the standardization on
nss pushed by Fedora and Suse has not yet made its way.

cheers,
Arnaud
-- 
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20101130/74734964/attachment.htm>