Nut upsdev - Nov 2020 - TLS, was [IANA #1182277] AutoReply: Port Number (3493) Modification

On Wed, 11 Nov 2020, Jim Klimov wrote:
> I agree with you. Probably similar could be done with stunnel, to avoid 
> maintaining in NUT a fast moving target of modern cryptography. And indeed
it
> may be better in terms of switching real deployments to new protocols if
old
> ones are deemed insecure, with implementations made by people hopefully
better
> knowledgeable about the nuances involved, and/or just more exposed to
discover
> and fix security bugs faster.
Python3 provides a very thin wrapper around openSSL's TLS.  This exposes the
default openSSL options which automatically call for the most recent version of 
TLS and reject the old deprecated SSL versions.  This simplifies maintenance. 
The certificates which are also created using a thin Python3 wrapper around 
openSSL also benefit from the default "most secure" options.  However
it is
essential to read RFC 5280 (Internet X.509 Public Key Infrastructure 
Certificate), and presumably whatever will replace it in a couple of years.
> One of my later points was that a dedicated solution (here SSL wrapper) on
a
> dedicated port may be also a limiting factor. If a dialog is expected to
start
> in a specific crypto protocol mode, 
The openSSL dialog starts using the default "most secure" options, but
without
specifying them.  Working out the details is for openSSL.
> it may be problematic to talk a completely different protocol on the same
port
> in the future. STARTTLS or similar approaches elude that, by talking
initially
> in a future-proof (e.g. plaintext) protocol and there agreeing on
capabilities
> and desires of the sides. 
> That said, a crypto protocol designed to be extensible might avoid that
too.
> Given how the web or SMTPS iterated through generations of SSL and TLS, it
may
> be not a bottleneck either.
> 
> Jim
> 
> On Wed, Nov 11, 2020, 17:28 Roger Price <roger at rogerprice.org>
wrote:
>       On Wed, 11 Nov 2020, Jim Klimov wrote:
>
>       > Interesting, thanks. 
>       > But given the limited amount of port numbers, in IANA's
shoes I'd suggest to consider enabling STARTTLS (like in SMTP) so switching
into
>       security mode
>       > could be negotiated in a single-port dialog. Especially as NUT
protocol is text-based similarly.
>       >
>       > Back in my ISP providering days, we had similar paperwork to
prove to self and others why we need the limited resource of more IPv4 address
>       ranges.
>       >
>       > I suppose for STARTTLS we could inspire from sendmail or other
such daemons.
>       >
>       > Would that make sense to you? It is likely more complex than
hardcoding the default port for SSL wrapping, if we are easily given one. But
>       still it may be
>       > more simple to manage (think firewall rules) too... And
potentially more extensible to dynamically switch into more future protocol
>       versions.
>
>       NUT is a mature project which will continue to advance at a
"mature" speed.
>       However TLS moves quickly and in little time previous versions are
deprecated
>       and refused.  I wrote a thin daemon to sit next to upsd which
receives TLS
>       encoded traffic on port 401 at the latest security level, and relays
it to upsd
>       on port 3493.  It currently runs on Debian and openSUSE, and seems to
me to be a
>       way in which NUT could meet all network security obligations, without
upsetting
>       the regular development cycle.  For such an approach, two ports are
essential.
>
>       Roger

On Wed, 11 Nov 2020, Roger Price wrote:
> I have written to the IT department at the University of Ohio about
assignment
> of ups/401, and documentation of the protocol.  The assignee, Charles
Bennett,
> worked for the U of Ohio chemistry department when ups/401 was registered. 
> He died in 2015.  I have yet to get a reply from the IT people.
> If I don't get a reply I will call Keith Brock IT Support Senior
Specialist,
> but I don't expect much.  I'm sure ups/401 is dead but I need an 
> acknowledgement of that from Ohio before proposing anything to you.
I've just called Keith Brock.  I said who I was, and then said "I am
calling you
about IANA port 401 which I believe is assigned to the University of Ohio."
He
promptly hung up on me, so not only is there no contact point, but I guess port 
401 is thoroughly dead.

Roger