networkupstools · jimklimov · May 11, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/NEWS.adoc b/NEWS.adoc
@@ -58,6 +58,11 @@ https://github.com/networkupstools/nut/milestone/13
       attempts on timeout errors, simplifying error recovery. [PR #3414]
     * Increased default TCP response timeout to 2000 ms. [PR #3418]
 
+ - `dummy-ups` driver updates:
+   * Added `authconf` driver parameter for repeater mode to control
+     authentication configuration discovery. It accepts `default`, `none`,
+     or a specific authconf file path. [issue #3329]
+
  - `nutdrv_qx` driver updates:
     * Only claim a USB device as "supported" during discovery out of the box
       if `subdriver_command` was assigned (`1A86:7523` is used by CH340/341
@@ -126,6 +131,31 @@ https://github.com/networkupstools/nut/milestone/13
       allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
     * The `libupsclient` (C) and `libnutclient` (C++) API were updated to
       report the ability to check `CERTIDENT` information. [#3331]
+    * Introduced support for "authconf" files to store and convey NUT client
+      authentication details. [issue #3329]
+
+ - `upsc`, `upscmd`, `upsrw` command-line client updates:
+    * Enabled support for `nutauth.conf` files to provide credentials and/or
+      SSL settings in the client which previously only did best-effort attempts
+      at secure communications without an individual certificate, and only
+      anonymously for reading. The new `-A filename` option defaults to trying
+      to use a `nutauth.conf` file (if found in one of the default locations)
+      but not failing if one is not usable; specific values can require use of
+      such a file (`default`) or to not even try reading one (`none`).
+      [issues #3329, #3411]
+
+ - `upslog` client/tool updates:
+    * Added support for best-effort use of `nutauth.conf` files from default
+      locations or via `-A` option, as described above. Since this client
+      can establish multiple connections, keep in mind that currently it
+      can only identify itself with some one (first seen) client certificate,
+      if `CERTIDENT` settings are used. Multiple `CERTHOST` directives for
+      specially trusted servers can be used. [#3329]
+
+ - `upsstats`, `upsset`, `upsimage` CGI client updates:
+    * Added support for best-effort use of `nutauth.conf` files from default
+      locations described above (no way to choose the location, other than
+      by web-server environment variables for CGI calls). [#3329]
 
  - `upsmon` client updates:
     * Introduced support for `CERTFILE` option, so the client can identify
@@ -150,6 +180,9 @@ https://github.com/networkupstools/nut/milestone/13
       much later (tell the sysadmin to increase `ulimit` or set up a more
       conservative `MAXCONN`). If there is a separate soft and hard limit,
       and `MAXCONN` exceeds the soft limit, try to raise the bar. [issue #3365]
+    * If SSL configuration was provided, but the server failed to apply some
+      aspect of that, it should now abort with an explanation (and not proceed
+      with insecure start-up like it could do before). [issue #3331, PR #3435]
 
  - Recipes, CI and helper script updates not classified above:
     * Introduced `ci_build.sh` settings and respective CI workflow settings

diff --git a/UPGRADING.adoc b/UPGRADING.adoc
@@ -46,6 +46,22 @@ Changes from 2.8.5 to 2.8.6
   if the requested value is larger than what is allowed (minus some reserve
   for configuration files and other use-cases). [issue #3365]
 
+- `upsd` data server updates:
+    * If SSL configuration was provided, but the server failed to apply some
+      aspect of that, it should now abort with an explanation (and not proceed
+      with insecure start-up like it could do before). [issue #3331, PR #3435]
+
+- Enabled support for `nutauth.conf` files to provide credentials and/or
+  SSL settings in clients which previously only did best-effort attempts at
+  secure communications without an individual certificate, and only anonymously
+  for reading like `upsc`.
++
+The new `-A filename` option defaults to trying to use a `nutauth.conf` file
+  (if found in one of the default locations) but not failing if one is not
+  usable; specific values can require use of such a file or to not even try
+  reading one ('none' as the legacy default). See the updated manual pages
+  for more details. [issues #3329, #3411]
+
 
 Changes from 2.8.4 to 2.8.5
 ---------------------------

diff --git a/clients/Makefile.am b/clients/Makefile.am
@@ -110,7 +110,7 @@ endif HAVE_CXX11
 
 # Optionally deliverable as part of NUT public API:
 if WITH_DEV
- include_HEADERS = upsclient.h
+ include_HEADERS = upsclient.h authconf.h
 if HAVE_CXX11
  include_HEADERS += nutclient.h nutclientmem.h
 else !HAVE_CXX11
@@ -170,7 +170,7 @@ upsstats_cgi_LDADD = $(LDADD_CLIENT) $(top_builddir)/common/libcommonstrjson.la
 # but it needs nut_version.h made before the rest of build,
 # to include it into upsclient.c (without an explicit link,
 # this target is sometimes missed in parallel builds):
-libupsclient_la_SOURCES = upsclient.c upsclient.h
+libupsclient_la_SOURCES = upsclient.c upsclient.h authconf.c authconf.h
 
 # See comments for similar trick in common/Makefile.am for common-nut_version.c
 if BUILDING_IN_TREE