@@ -72,6 +72,30 @@ https://github.com/networkupstools/nut/milestone/13
7272 query (for protocol version) to verify that handshake succeeded.
7373 This change impacted also the classic C `libupsclient` library.
7474 [issue #3387, PR #3402]
75+ * Updated OpenSSL code paths in the `libupsclient` C library to support
76+ features earlier only available with NSS builds, like specifying the
77+ client certificate+key, optionally with password, and pinning expected
78+ server certificates. For both backends such pinning should now honour
79+ the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
80+ connection attempt if that number is '0'). Also, the `-1` value is
81+ now supported to mean "use global default setting". [issue #3331]
82+ * Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
83+ (optional validation of clients identified by a certificate) also
84+ when built with OpenSSL, optionally using the `CERTPATH` with a
85+ collection of CA certificates (directory or a big PEM file).
86+ Also support `CERTIDENT` to provide a private key password and ensure
87+ that the certificate in `CERTFILE` has an expected subject name as an
88+ exact string, or that its CN or SAN match the provided string as a
89+ standard expression of host name (section 3.5 of RFC 1034) or IP address.
90+ [issue #3331]
91+ * The `libupsclient` API was extended with a `upscli_init2()` method which
92+ allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
93+ * The `libupsclient` (C) and `libnutclient` (C++) API were updated to
94+ report the ability to check `CERTIDENT` information. [#3331]
95+
96+ - `upsmon` client updates:
97+ * Introduced support for `CERTFILE` option, so the client can identify
98+ itself to the data server also in OpenSSL builds. [issue #3331]
7599
76100 - Introduced `ci_build.sh` settings and respective CI workflow settings
77101 to optionally re-use a `config.cache` file from older runs, and similar
0 commit comments