@@ -918,6 +918,52 @@ check if a custom build from Git (usually using the `master` branch
918918of NUT https://github.com/networkupstools/nut/ repository) has your
919919issue fixed by some kind soul already.
920920
921+ == I can't connect with SSL using old NUT on an appliance
922+
923+ Unfortunately, some vendors do not issue new firmwares often, and even more
924+ rarely do they significantly update any programs inside. It is not uncommon
925+ to see NUT versions over a decade old delivered with small NAS boxes, for
926+ example.
927+
928+ This may impact not only NUT protocol compatibility, but also transport
929+ protocols such as SSL -- as cipher algorithms get outdated over time, and
930+ ones deemed insecure are no longer handled at all (by default). This is
931+ not a problem limited to NUT: old SSH Key Exchange (kex) protocols or old
932+ HTTPS mechanisms also become hard or impossible to use eventually.
933+
934+ On one hand, you can look into NUT configuration of `DISABLE_WEAK_SSL`.
935+
936+ On another, you can modify configuration of the newer system to allow older
937+ algorithms as required by the older other system.
938+
939+ For NUT built against OpenSSL, the change would be in `/etc/ssl/openssl.cnf`
940+ and similar to the diff block below:
941+
942+ ----
943+ --- a/etc/ssl/openssl.cnf
944+ +++ b/etc/ssl/openssl.cnf
945+ @@ -52,13 +52,6 @@ tsa_policy3 = 1.2.3.4.5.7
946+
947+ [openssl_init]
948+ providers = provider_sect
949+ +ssl_conf = ssl_sect
950+ +
951+ +[ssl_sect]
952+ +system_default = system_default_sect
953+ +
954+ +[system_default_sect]
955+ +CipherString = DEFAULT@SECLEVEL=0
956+
957+ # List of providers to load
958+ [provider_sect]
959+ ----
960+
961+ Of course, keep in mind that by doing this you degrade your security level.
962+ If better solutions are possible in your situation, prefer to follow them!
963+
964+ Thanks to Kajetan Rzepecki for doing the research and posting the findings
965+ in https://github.com/networkupstools/nut/issues/1899
966+
921967== I built NUT from Git, and it complains about lots of missing files. What happened?
922968
923969If you are not actively developing a driver, can you use a snapshot instead?
0 commit comments