Skip to content

Commit 50cd112

Browse files
authored
Merge pull request #3408 from jimklimov/issue-3331
Bring OpenSSL abilities up to be on par with NSS
2 parents 681a063 + 2041f7e commit 50cd112

36 files changed

Lines changed: 4869 additions & 765 deletions

Makefile.am

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,14 @@ all-fanout-maybe: .libs-dev-PATH @dotMAKE@
209209
done ; \
210210
export PATH ; \
211211
export LD_LIBRARY_PATH ; \
212+
if `uname -a` | grep -i darwin >/dev/null; then \
213+
if [ -n "$${DYLD_FALLBACK_LIBRARY_PATH}" ] ; then \
214+
DYLD_FALLBACK_LIBRARY_PATH="$${LD_LIBRARY_PATH}:$${DYLD_FALLBACK_LIBRARY_PATH}" ; \
215+
else \
216+
DYLD_FALLBACK_LIBRARY_PATH="$${LD_LIBRARY_PATH}" ; \
217+
fi ; \
218+
export DYLD_FALLBACK_LIBRARY_PATH ; \
219+
fi ; \
212220
' >> '$@'
213221

214222
# We start with a pass to `make all` in `common` dir because our wild recipes

NEWS.adoc

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,30 @@ https://github.com/networkupstools/nut/milestone/13
7272
query (for protocol version) to verify that handshake succeeded.
7373
This change impacted also the classic C `libupsclient` library.
7474
[issue #3387, PR #3402]
75+
* Updated OpenSSL code paths in the `libupsclient` C library to support
76+
features earlier only available with NSS builds, like specifying the
77+
client certificate+key, optionally with password, and pinning expected
78+
server certificates. For both backends such pinning should now honour
79+
the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
80+
connection attempt if that number is '0'). Also, the `-1` value is
81+
now supported to mean "use global default setting". [issue #3331]
82+
* Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
83+
(optional validation of clients identified by a certificate) also
84+
when built with OpenSSL, optionally using the `CERTPATH` with a
85+
collection of CA certificates (directory or a big PEM file).
86+
Also support `CERTIDENT` to provide a private key password and ensure
87+
that the certificate in `CERTFILE` has an expected subject name as an
88+
exact string, or that its CN or SAN match the provided string as a
89+
standard expression of host name (section 3.5 of RFC 1034) or IP address.
90+
[issue #3331]
91+
* The `libupsclient` API was extended with a `upscli_init2()` method which
92+
allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
93+
* The `libupsclient` (C) and `libnutclient` (C++) API were updated to
94+
report the ability to check `CERTIDENT` information. [#3331]
95+
96+
- `upsmon` client updates:
97+
* Introduced support for `CERTFILE` option, so the client can identify
98+
itself to the data server also in OpenSSL builds. [issue #3331]
7599

76100
- Introduced `ci_build.sh` settings and respective CI workflow settings
77101
to optionally re-use a `config.cache` file from older runs, and similar

UPGRADING.adoc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,13 @@ Changes from 2.8.5 to 2.8.6
3333

3434
- PLANNED: Keep track of any further API clean-up?
3535
36+
- Potentially a breaking change for C++ clients that rushed to use the new
37+
SSL support options in `libnutclient`: for Mozilla NSS setup, the way to
38+
provide an expected `CERTHOST` address was missing. Now the API is fixed
39+
in this regard, at the cost of adding arguments to methods introduced in
40+
the previous release. [issue #3331, PR #3408]
41+
42+
3643
Changes from 2.8.4 to 2.8.5
3744
---------------------------
3845

appveyor.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,9 @@ environment:
3535
# https://github.com/marketplace/actions/delete-pr-comments-during-subsequent-ci
3636
notifications:
3737
- provider: GitHubPullRequest
38-
on_build_status_changed: true
38+
on_build_success: true
39+
on_build_failure: true
40+
on_build_status_changed: false
3941
template: |
4042
{{#passed}}:white_check_mark:{{/passed}}{{#failed}}:x:{{/failed}} [Build {{&projectName}} {{buildVersion}} {{status}}]({{buildUrl}}) (commit {{commitUrl}} by @{{&commitAuthorUsername}})
4143
* [artifacts{{#failed}} (if any){{/failed}}]({{buildurl}}/artifacts)

clients/Makefile.am

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -219,6 +219,8 @@ endif WITH_SSL
219219
# for the run-time dynamic linker resolution? For now the shared-library
220220
# builds are "exotic", but it makes sense to deprecate this export in a
221221
# future release.
222+
### WARNING: Do not forget to update SO_MAJOR_LIBUPSCLIENT under scripts/obs,
223+
### especially when bumping "age" into loss of compatibility with old releases!
222224
libupsclient_la_LDFLAGS = -version-info 9:0:2
223225
libupsclient_la_LDFLAGS += -export-symbols-regex '^(upscli_|nut_debug_level)'
224226
#|s_upsdebug|fatalx|fatal_with_errno|xcalloc|xbasename|print_banner_once)'
@@ -292,7 +294,9 @@ libupsclient-version.h: libupsclient.la
292294
if HAVE_CXX11
293295
# libnutclient version information and build
294296
libnutclient_la_SOURCES = nutclient.h nutclient.cpp
295-
libnutclient_la_LDFLAGS = -version-info 4:0:2
297+
### WARNING: Do not forget to update SO_MAJOR_LIBNUTCLIENT under scripts/obs,
298+
### especially when bumping "age" into loss of compatibility with old releases!
299+
libnutclient_la_LDFLAGS = -version-info 4:0:0
296300
# Needed in not-standalone builds with -DHAVE_NUTCOMMON=1
297301
# which is defined for in-tree CXX builds above:
298302
if ENABLE_SHARED_PRIVATE_LIBS
@@ -319,6 +323,8 @@ endif !HAVE_CXX11
319323
if HAVE_CXX11
320324
# libnutclientstub version information and build
321325
libnutclientstub_la_SOURCES = nutclientmem.h nutclientmem.cpp
326+
### WARNING: Do not forget to update SO_MAJOR_LIBNUTCLIENTSTUB under scripts/obs,
327+
### especially when bumping "age" into loss of compatibility with old releases!
322328
libnutclientstub_la_LDFLAGS = -version-info 1:1:0
323329
libnutclientstub_la_LIBADD = libnutclient.la
324330
if HAVE_WINDOWS

0 commit comments

Comments
 (0)