4
Auth: Russell Kroll <rkroll@exploits.org>
6
SSL is now available as a development option. It encrypts sessions with
7
upsd and can also be used to authenticate servers. This means that
8
stealing port 3493 from upsd will no longer net you interesting
11
Several things must happen before this will work, however:
13
------------------------------------------------------------------------------
17
------------------------------------------------------------------------------
19
2. Recompile NUT from source, starting with 'configure --with-ssl'.
21
------------------------------------------------------------------------------
23
3. Install everything as usual.
25
------------------------------------------------------------------------------
27
4. Create a certificate and key for upsd.
29
openssl (the program) should be in your PATH, unless you installed
30
it from source yourself, in which case it may be in
33
openssl req -new -x509 -nodes -out upsd.crt -keyout upsd.key
35
You can also put a "-days nnn" in there to set the expiration. If
36
you skip this, it may default to 30 days. This is probably not what
39
It will ask several questions. What you put in there doesn't matter
40
a whole lot, since nobody is going to see it for now. Future
41
versions of the clients may present data from it, so you might use
42
this opportunity to identify each server somehow.
44
------------------------------------------------------------------------------
46
5. Figure out the hash for the key.
48
openssl x509 -hash -noout -in upsd.crt
50
You'll get back a single line with 8 hex characters. This is the
51
hash of the certificate, which is used for naming the client-side
52
certificate. For the purposes of this example the hash is
55
------------------------------------------------------------------------------
57
6. Install the client-side certificate.
61
cp upsd.crt <certpath>/<hash>.0
65
mkdir /usr/local/ups/etc/certs
66
chmod 0755 /usr/local/ups/etc/certs
67
cp upsd.crt /usr/local/ups/etc/certs/0123abcd.0
69
If you already have a file with that name in there, increment the
70
0 until you get a unique filename that works.
72
If you have multiple client systems (like upsmon slaves), be sure
73
to install this file on them as well.
75
I recommend making a directory under your existing confpath to
76
keep everything in the same place. Remember the path you created,
77
since you will need to put it in upsmon.conf later.
79
It must not be writable by unprivileged users, since someone could
80
insert a new client certificate and fool upsmon into trusting a
83
------------------------------------------------------------------------------
85
7. Create the combined file for upsd.
87
cat upsd.crt upsd.key > upsd.pem
89
chown root:nut upsd.pem
92
This file must be kept secure, since anyone possessing it could
93
pretend to be upsd and harvest authentication data if they get a
96
Having it be owned by root and readable by group nut allows upsd
97
to read the file without being able to change the contents. This
98
is done to minimize the impact if someone should break into upsd.
100
------------------------------------------------------------------------------
102
8. Install the server-side certificate.
104
mv upsd.pem <upsd certfile path>
108
mv upsd.pem /usr/local/ups/etc/upsd.pem
110
After that, edit your upsd.conf and tell it where to find it:
112
CERTFILE /usr/local/ups/etc/upsd.pem
114
------------------------------------------------------------------------------
116
9. Clean up the temporary files.
118
rm -f upsd.crt upsd.key
120
------------------------------------------------------------------------------
124
It should come back up without any complaints. If it says something
125
about keys or certificates, then you probably missed a step.
127
If you run upsd as a separate user id (like nutsrv), make sure that
128
user can read the upsd.pem file.
130
------------------------------------------------------------------------------
132
11. Point upsmon at the certificates.
134
Edit your upsmon.conf, and tell it where the CERTPATH is:
138
CERTPATH /usr/local/ups/etc/certs
140
------------------------------------------------------------------------------
142
12. Recommended: make upsmon verify all connections with certificates.
144
Put this in upsmon.conf:
148
Without this, there is no guarantee that the upsd is the right host.
149
Enabling this greatly reduces the risk of man in the middle attacks.
151
This effectively forces the use of SSL, so don't use this unless
152
all of your upsd hosts are ready for SSL and have their certificates
155
------------------------------------------------------------------------------
157
13. Recommended: force upsmon to use SSL.
159
Again in upsmon.conf:
163
If you don't use CERTVERIFY 1, then this will at least make sure
164
that nobody can sniff your sessions without a large effort. Setting
165
this will make upsmon drop connections if the remote upsd doesn't
166
support SSL, so don't use it unless all of them have it running.
168
------------------------------------------------------------------------------
172
You should see something like this in the syslog from upsd:
174
foo upsd[1234]: Client mon@localhost logged in to UPS [myups] (SSL)
176
If upsd or upsmon give any error messages, or the (SSL) is missing,
177
then something isn't right.
179
If in doubt about upsmon, start it with -D so it will stay in
180
the foreground and print debug messages. It should print something
181
like this every couple of seconds:
183
polling ups: myups@localhost [SSL]
185
Obviously, if the [SSL] isn't there, something's broken.
187
------------------------------------------------------------------------------
189
15. Recommended: sniff the connection to see it for yourself.
191
Using tcpdump, Ethereal, or another network sniffer tool, tell it
192
to monitor port 3493/tcp and see what happens. You should only see
193
"STARTTLS" go out, "OK STARTTLS" come back, and the rest will be
194
certificate data and then seemingly random characters.
196
If you see any plaintext besides that (USERNAME, PASSWORD, etc.)
197
then something is not working.
199
------------------------------------------------------------------------------
201
Note: SSL support is still considered development code, since various
202
bits of the implementation may change in the near future. One thing
203
that may happen before long is support for gnutls to avoid licensing
206
This is why the other documentation doesn't mention any of these
207
directives yet. SSL support is a treat for those of you that RTFM.
212
If you specify a certificate expiration date, you will eventually
213
see things like this in your syslog:
215
Oct 29 07:27:25 rktoy upsmon[3789]: Poll UPS [for750@rktoy] failed -
216
SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
217
certificate verify failed
219
You can verify that it is expired by using openssl to display the date:
221
openssl x509 -enddate -noout -in <certfile>
223
It'll display a date like this:
225
notAfter=Oct 28 20:05:32 2002 GMT
227
If that's after the current date, you need to generate another cert/key
228
pair using the procedure above.