On Sun, 13 Jun 2021, Manuel Wolfshant wrote:
1. There are miriad of scripts written on top of openssl and certutil that
allow implementing a CA and issuance of certificates, with easy-rsa probably
leading the lot ...
2. nut can be very nicely wrapped behind stunnel if a point to point
connection between master and slaves is needed. ... . Therefore, from my point
of view, even if the python shim approach is smart and nice, I do not see it
as being really needed.
The I-D has to have a Security Considerations chapter, and that chapter has to
talk about secure communication. The shims described in the I-D are a very
simple, stand-alone solution, and the implementation in upsdTLS.py and
upsmonTLS.py provides a demonstration of what the I-D says. Nothing in the I-D
says you have to use them: stunnel should be seen as the equivalent of "shims".
A link to stunnel and an example included in the docs would do
just as well.
A volunteer to write that doc step forwards!
Is stunnel maintained? Their tutorial at https://www.stunnel.org/howto.html was
last updated in August 2019, but it still talks about TCP wrappers for which the
last stable release 7.6 was by Wietse Venema himself April 08, 1997.
With all due respect, the shim idea looks to me like a "not
invented here" approach. To be clear: I am not opposed to it but I would
certainly not use it when "yum install stunnel / apt install stunnel" are
available.
I use the upsd shim to run my own upsmon which insists on
TLS 1.3. Hopefully with the next release of NUT, it wont be needed.
3. Last but not least, for anyone with low to moderate knowledge, letsencrypt
takes minutes to setup and use and has the advantage of not requiring
anything but running their script every 3 months.
Never overestimate a client! I was called to a NUT installation which had just
been hit by lightning. This was an expensive on-line model, but I couldn't find
it.
Q: Where is the UPS?
A: We threw it away.
Q: Why?
A: It stopped working.
Q: Did you try resetting the circuit breaker button?
A: What button?
Roger
_______________________________________________
Nut-upsdev mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsdev
