Arnaud Quette: Cryptography: SSL support using Mozilla NSS landed in NUT
this week, a new feature was merged into the NUT development tree: beside of
the historical OpenSSL support (for more than 10 years), NUT now also provides
SSL features using Mozilla NSS.
I've already posted a lengthy mail on the NUT developers list. But there are still
a few things to be told:
-- Arno
- for legal reasons, I won't detail, NUT (GPL v2+), can't be linked on OpenSSL without exiting from the 'main' Debian repository. Thus, NUT packages in Debian (and derivatives) don't provide NUT crypto features!
- to me, NSS has some advantages, compared to OpenSSL. Among these, NSS is distributed under 3 licenses, including GPL. So it will fix the situation for NUT in Debian! But there will be more things to come with NSS, such as client authentication, and more security for infrastructure power management.
- other distros (mainly Redhat and Suse) have attempted (and are still attempting) to consolidate crypto features, using NSS. Debian has not taken any decision on this topic though. NUT now offers the choice between OpenSSL and Mozilla NSS.
- NSS support will be officially available with NUT 2.8.0. There is currently no release date since we're committed to a features set, not a release date. Some would say Debian old school. Everything would be different with more manpower, as everywhere else in our Free land...
- install NUT, if it's not already done:
# apt-get install nut
- download the source snapshot, and uncompress it:
$ tar xzvf nut-trunk-r3751.tar.gz
- install NSS development files:
# apt-get install libnss3-dev
- change to NUT source directory and configure it using --with-nss, to force using NSS. For Debian, the following flags are needed:
./configure --without-all --with-nss \ --prefix=/ --sysconfdir=/etc/nut \ --with-statepath=/var/run/nut \ --with-altpidpath=/var/run/nut \ --with-drvpath=/lib/nut \ --with-pidpath=/var/run/nut \ --datadir=/usr/share/nut \ --with-pkgconfig-dir=/usr/lib/pkgconfig \ --with-user=nut --with-group=nut
- now compile and install:
$ make && make install
- refer to the documentation, NSS backend usage chapter, for detailed configuration and usage instructions.
- if you're looking for a nice user interface to manage your certificate, check Firefox Key Manager or Fedora nss-gui.
- Enjoy
- Emilien Kia, who developed the NSS support in NUT,
- Fr d ric Boh , for the validation testing,
- Charles Lepple, for handling the merge from github to our Alioth Subversion repository,
- and Eaton for sponsoring this development.
-- Arno