Skip to content

Commit e63d433

Browse files
authored
Merge 038297c into 276c0b7
2 parents 276c0b7 + 038297c commit e63d433

File tree

4 files changed

+57
-3
lines changed

4 files changed

+57
-3
lines changed

NEWS.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -464,6 +464,8 @@ This requirement compromises usability of `make distcheck` on platforms without
464464
* `upsd_cleanup()` is now traced, to more easily see that the daemon is
465465
exiting (and/or start-up has aborted due to configuration or run-time
466466
issues). Warning about "world readable" files clarified. [#2417]
467+
* Failure to `LISTEN` on an invalid host name (e.g. `localhost:3493` or
468+
`1.2.3.4/24`) is now logged in a more actionable manner. [#2665]
467469
468470
- nut-scanner:
469471
* the tool relies on dynamic loading of shared objects (library files)

docs/FAQ.txt

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -918,6 +918,52 @@ check if a custom build from Git (usually using the `master` branch
918918
of NUT https://github.com/networkupstools/nut/ repository) has your
919919
issue fixed by some kind soul already.
920920

921+
== I can't connect with SSL using old NUT on an appliance
922+
923+
Unfortunately, some vendors do not issue new firmwares often, and even more
924+
rarely do they significantly update any programs inside. It is not uncommon
925+
to see NUT versions over a decade old delivered with small NAS boxes, for
926+
example.
927+
928+
This may impact not only NUT protocol compatibility, but also transport
929+
protocols such as SSL -- as cipher algorithms get outdated over time, and
930+
ones deemed insecure are no longer handled at all (by default). This is
931+
not a problem limited to NUT: old SSH Key Exchange (kex) protocols or old
932+
HTTPS mechanisms also become hard or impossible to use eventually.
933+
934+
On one hand, you can look into NUT configuration of `DISABLE_WEAK_SSL`.
935+
936+
On another, you can modify configuration of the newer system to allow older
937+
algorithms as required by the older other system.
938+
939+
For NUT built against OpenSSL, the change would be in `/etc/ssl/openssl.cnf`
940+
and similar to the diff block below:
941+
942+
----
943+
--- a/etc/ssl/openssl.cnf
944+
+++ b/etc/ssl/openssl.cnf
945+
@@ -52,13 +52,6 @@ tsa_policy3 = 1.2.3.4.5.7
946+
947+
[openssl_init]
948+
providers = provider_sect
949+
+ssl_conf = ssl_sect
950+
+
951+
+[ssl_sect]
952+
+system_default = system_default_sect
953+
+
954+
+[system_default_sect]
955+
+CipherString = DEFAULT@SECLEVEL=0
956+
957+
# List of providers to load
958+
[provider_sect]
959+
----
960+
961+
Of course, keep in mind that by doing this you degrade your security level.
962+
If better solutions are possible in your situation, prefer to follow them!
963+
964+
Thanks to Kajetan Rzepecki for doing the research and posting the findings
965+
in https://github.com/networkupstools/nut/issues/1899
966+
921967
== I built NUT from Git, and it complains about lots of missing files. What happened?
922968

923969
If you are not actively developing a driver, can you use a snapshot instead?

docs/nut.dict

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
personal_ws-1.1 en 3341 utf-8
1+
personal_ws-1.1 en 3347 utf-8
22
AAC
33
AAS
44
ABI
@@ -205,6 +205,7 @@ Checksum
205205
Christoph
206206
Chu
207207
Cichowski
208+
CipherString
208209
CircleCI
209210
Claesson
210211
CodingStyle
@@ -566,6 +567,7 @@ KRTS
566567
KSTAR
567568
KTTS
568569
Kain
570+
Kajetan
569571
Kaminski
570572
Kanji
571573
Kazancev
@@ -1069,6 +1071,7 @@ RunAs
10691071
RunUPSCommand
10701072
RxD
10711073
Ryabov
1074+
Rzepecki
10721075
SAI
10731076
SASU
10741077
SCM
@@ -1717,6 +1720,7 @@ cmdname
17171720
cmdparam
17181721
cmds
17191722
cmdvartab
1723+
cnf
17201724
codebase
17211725
codepath
17221726
coldstarts
@@ -2217,6 +2221,7 @@ kVA
22172221
kadets
22182222
kaminski
22192223
kde
2224+
kex
22202225
kext
22212226
keychain
22222227
keygen
@@ -3078,6 +3083,7 @@ tport
30783083
tripplite
30793084
tripplitesu
30803085
troff
3086+
tsa
30813087
tsd
30823088
tty
30833089
ttyACM

server/upsd.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -447,10 +447,10 @@ static void setuptcp(stype_t *server)
447447

448448
if ((v = getaddrinfo(server->addr, server->port, &hints, &res)) != 0) {
449449
if (v == EAI_SYSTEM) {
450-
fatal_with_errno(EXIT_FAILURE, "getaddrinfo");
450+
fatal_with_errno(EXIT_FAILURE, "getaddrinfo('%s')", NUT_STRARG(server->addr));
451451
}
452452

453-
fatalx(EXIT_FAILURE, "getaddrinfo: %s", gai_strerror(v));
453+
fatalx(EXIT_FAILURE, "getaddrinfo('%s'): %s", NUT_STRARG(server->addr), gai_strerror(v));
454454
}
455455

456456
for (ai = res; ai; ai = ai->ai_next) {

0 commit comments

Comments
 (0)