On 1/3/22 14:17, Roger Price wrote:> I have received a comment from a embedded Windows XP user, concerned > at being forced to use TLS encrypted communication by low budget "RFC > conforming" UPS units which do not allow unencrypted communication.I guess you meant _encrypted communication_ here> > Section 4.2.12 STARTTLS says ? The client tells the Attachment Daemon > (2.1) to switch to TLS encrypted communication ? but does not > explicitly say that if the command STARTTLS is not sent, the > Attachment and Management Daemons do not switch to encrypted > communication > > https://www.ietf.org/archive/id/draft-rprice-ups-management-protocol-05.html#name-starttls > > > I propose adding the following sentence to section 4.2.12: > > ?If the client does not send command STARTTLS to the Attachment Daemon > ?communication continues unencrypted.Sounds like a sane decision. Most [ low end ] UPSes do not know anything about encryption. What we can do is to recommend communication between upsd and ups-monitor to be encrypted.
On Mon, 3 Jan 2022, Manuel Wolfshant wrote:> On 1/3/22 14:17, Roger Price wrote: >> I propose adding the following sentence to section 4.2.12: >> >> ?If the client does not send command STARTTLS to the Attachment Daemon >> ?communication continues unencrypted. > > Sounds like a sane decision. Most [ low end ] UPSes do not know anything > about encryption. What we can do is to recommend communication between upsd > and ups-monitor to be encrypted.Should the Attachment Daemon upsd be able to defend itself against unencrypted access from misconfigured or possibly hostile clients? If so, how is this to be configured in the Attachment Daemon upsd? Is the presence of a CERTFILE or CERTIDENT declaration in upsd.conf sufficient? Roger