On Friday 28 August 2009 03:29:32 Charles Lepple wrote: > On Aug 27, 2009, at 10:22 AM, Michal Hlavinka wrote: > >> [...] > >> > >>>> ./usbhid-ups > >>>> libusb-0.1.so.4 => /usr/lib64/libusb-0.1.so.4 > >>>> (0x00000036fe600000) > >>>> libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003d07000000) > >>>> libcrypto.so.8 => /usr/lib64/libcrypto.so.8 > >>>> (0x000000379c400000) > >>>> libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 > >>>> (0x0000003d06c00000) > >>>> libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0000003d06800000) > >>>> libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 > >>>> (0x00000036f6200000) libkrb5support.so.0 => > >>>> /usr/lib64/libkrb5support.so.0 > >>>> (0x00000036f5200000) > >>> > >>> We could do better here. IIRC, the only reason why we link usbhid- > >>> ups > >>> against OpenSSL is for calculating the hash of a HID descriptor, > >>> and that > >>> mode does not seem to be used by default (and would never be used at > >>> shutdown). That hash calculation could be moved into a file in NUT's > >>> common directory. > >> > >> Michal, > >> > >> The code that required OpenSSL has been removed from the SVN trunk. > >> > >> I have not tested this particular patch against 2.4.1, but it should > >> apply without much effort: > >> > >> http://boxster.ghz.cc/projects/nut/changeset/1947 > > > > Hi Charles, > > > > this is awesome! Now only libusb makes some trouble, but I think it > > should be > > in /lib, so I've started negotiating about this with libusb > > maintainer for > > rhel and fedora. > > Sounds good. > > > Does this means openssl was removed completely or only from usbhid- > > ups? > > None of the other drivers use OpenSSL (last I checked), so things > should work at shutdown time (since the drivers are invoked directly). > > upsd and upsc can optionally communicate over SSL, but /usr should be > available while upsd is running.
this brings me to my second "problem": We would like to use nss for cryptography instead of OpenSSL. Reason for this is mostly for FIPS 140 validation. See: http://fedoraproject.org/wiki/FedoraCryptoConsolidation http://fedoraproject.org/wiki/CryptoConsolidationEval http://fedoraproject.org/wiki/CryptoConsolidationScorecard also OpenSuSE prefers to use the nss for cryptography for the same reason ( http://en.opensuse.org/SharedCertStore ) Would it be possible to use nss instead of openssl? #ifdef blocks would be enough. I can prepare patches. What's your opinion? Michal _______________________________________________ Nut-upsdev mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
