this week, a new feature was merged into the NUT development tree: beside of the historical OpenSSL support (for more than 10 years), NUT now also provides SSL features using Mozilla NSS.
I've already posted a lengthy mail on the NUT developers list. But there are still a few things to be told:
- for legal reasons, I won't detail, NUT (GPL v2+), can't be linked on OpenSSL without exiting from the 'main' Debian repository. Thus, NUT packages in Debian (and derivatives) don't provide NUT crypto features!
- to me, NSS has some advantages, compared to OpenSSL. Among these, NSS is distributed under 3 licenses, including GPL. So it will fix the situation for NUT in Debian! But there will be more things to come with NSS, such as client authentication, and more security for infrastructure power management.
- other distros (mainly Redhat and Suse) have attempted (and are still attempting) to consolidate crypto features, using NSS. Debian has not taken any decision on this topic though. NUT now offers the choice between OpenSSL and Mozilla NSS.
- NSS support will be officially available with NUT 2.8.0. There is currently no release date since we're committed to a features set, not a release date. Some would say Debian old school. Everything would be different with more manpower, as everywhere else in our Free land...
For the braves who want to test, here is a small procedure, adapted to Debian. We will use an existing installation, and overwrite upsd, upsmon, libupsclient and few more. Beware that it will obviously breaks the MD5 sums of your nut packages!
- install NUT, if it's not already done:
# apt-get install nut
- download the source snapshot, and uncompress it:
$ tar xzvf nut-trunk-r3751.tar.gz
- install NSS development files:
# apt-get install libnss3-dev
- change to NUT source directory and configure it using --with-nss, to force using NSS. For Debian, the following flags are needed:
./configure --without-all --with-nss \ --prefix=/ --sysconfdir=/etc/nut \ --with-statepath=/var/run/nut \ --with-altpidpath=/var/run/nut \ --with-drvpath=/lib/nut \ --with-pidpath=/var/run/nut \ --datadir=/usr/share/nut \ --with-pkgconfig-dir=/usr/lib/pkgconfig \ --with-user=nut --with-group=nut
- now compile and install:
$ make && make install
- refer to the documentation, NSS backend usage chapter, for detailed configuration and usage instructions.
- if you're looking for a nice user interface to manage your certificate, check Firefox Key Manager or Fedora nss-gui.
Before concluding, here is the traditional thank you guys:
- Emilien Kia, who developed the NSS support in NUT,
- Frédéric Bohé, for the validation testing,
- Charles Lepple, for handling the merge from github to our Alioth Subversion repository,
- and Eaton for sponsoring this development.
As a conclusion, cryptography integration and usability is still not on par with other proprietary OS. I would love to see the crypto situation improving in Debian (and friends obviously). So this was just my 2 cents (nuts ;-)) to the cause...