If you don't use 'CERTVERIFY 1', then this will at least make sure
that
nobody can sniff your sessions without a large effort (...)
> So, do I misunderstand CERTVERIFY directive ? Or is there a bug ?
>> Can you reproduce such behaviour ?
>>
>
> I'm not sure what is going on. Can you try running 'upsmon'
with debugging
> enabled? The following are the results of my tests here. In all cases, the
> upsd server is running with a valid PositiveSSL certificate (so the root CA
> that signed this certificate is trusted without further configuration):
> (...)
>
we've had some findings with Emilien in the meantime.
He's currently checking for a clean fix, so I'll let him describe the
issue
and the possible fix.
cheers,
Arnaud
--
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/
--000325574bbef00cdf0499b95a8c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<br><div class=3D"gmail_quote">2011/1/13 Arjen de Korte
<span dir=3D"ltr"><<a href=3D"mailto:nut%2Bdevel
at de-korte.org">nut+devel at
de-korte.org</a>></span><br><blockquote
class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Citeren EmilienKia at Eaton.com:<div class=3D"im"><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
With a clean trunk checkout, compile and installation; and with the<br>
following config :<br>
<br>
upsmon.conf:<br>
CERTPATH /usr/local/ups/etc/cert/<br>
CERTVERIFY 1<br>
FORCESSL 1<br>
</blockquote>
<br></div>
First off, you're not supposed to use both CERTVERIFY and FORCESSL.
FORCESSL is intended to be used in cases you can't verify the validity
of a certificate, but still want to enforce the use of any presented. See the
'docs/ssl.txt' from the nut-2.4.3 branch (this file
didn't make it into AsciiDoc).</blockquote>
<div><br>this file (ssl.txt) was merged into security.txt, part of
the AsciiDoc rewrite:<br><a
href=3D"http://new.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_recommended_make_upsmon_verify_all_connections_with_certificates">http://new.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_recommended_make_upsmon_verify_all_connections_with_certificates</a><br>
<br>that being said, CERTVERIFY and FORCESSL are not mutually exclusive,
and address 2 differents issue (ie authentication and data encryption).
Documentation simply states that FORCESSL guarantee that your data won't
be sniffed, which is the bare minimum if you don't also use
authentication.<br>
<br>From docs/security.txt:<br>If you don't use
'CERTVERIFY 1', then this will at least make sure that nobody
can sniff your sessions without a large effort
(...)<br><br></div><blockquote
class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class=3D"im">
<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
So, do I misunderstand CERTVERIFY directive ? Or is there a bug ?<br>
Can you reproduce such behaviour ?<br>
</blockquote>
<br></div>
I'm not sure what is going on. Can you try running
'upsmon' with debugging enabled? The following are the results
of my tests here. In all cases, the upsd server is running with a valid
PositiveSSL certificate (so the root CA that signed this certificate is trusted
without further configuration):<br>
(...)<br></blockquote></div><br>we've had some
findings with Emilien in the meantime.<br>He's currently checking
for a clean fix, so I'll let him describe the issue and the possible
fix.<br clear=3D"all"><br>cheers,<br>
Arnaud<br>-- <br>Linux / Unix Expert R&D - Eaton - <a
href=3D"http://powerquality.eaton.com"
target=3D"_blank">http://powerquality.eaton.com</a><br>Network
UPS Tools (NUT) Project Leader - <a
href=3D"http://www.networkupstools.org/"
target=3D"_blank">http://www.networkupstools.org/</a><br>
Debian Developer - <a href=3D"http://www.debian.org"
target=3D"_blank">http://www.debian.org</a><br>Free
Software Developer - <a href=3D"http://arnaud.quette.free.fr/"
target=3D"_blank">http://arnaud.quette.free.fr/</a><br><br>
--000325574bbef00cdf0499b95a8c--
