Skip to content

Enhance PyNUTClient with SSL (NUT STARTTLS) support and test it#3352

Merged
jimklimov merged 20 commits intonetworkupstools:masterfrom
jimklimov:pynut-ssl
Mar 20, 2026
Merged

Enhance PyNUTClient with SSL (NUT STARTTLS) support and test it#3352
jimklimov merged 20 commits intonetworkupstools:masterfrom
jimklimov:pynut-ssl

Conversation

@jimklimov
Copy link
Copy Markdown
Member

@jimklimov jimklimov commented Mar 16, 2026
edited
Loading

Partially addresses issues:

AI DISCLAIMER: Prepared with contributions from IntelliJ Junie

@jimklimov
server/netssl.c: debug-log progress through ssl_init() and ssl_cleanu…
be682d2 
…p(), and reasons to abort net_starttls()

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
server/netssl.c, clients/upsclient.c: fix SSL read/write on non-block…
0aed20f 
…ing sockets [networkupstools#3331]

Apply same retry detection and loop logic as for handshake;
standardize on `SSL_IO_MAX_RETRIES` constant name for these operations.

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/upsclient.c, server/netssl.c: ssl_error(): return 0 for retri…
46a012f 
…able SSL_ERROR_WANT_{WRITE,READ}, log less loudly [networkupstools#3331]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov jimklimov added this to the 2.8.5 milestone Mar 16, 2026
@jimklimov jimklimov added this to NUT QA Mar 16, 2026
@jimklimov jimklimov added enhancement CI Entries related to continuous integration infrastructure (here CI = tools + scripts + recipes) python SSL/NSS Issues and PRs about SSL, TLS and other crypto-related matters portability We want NUT to build and run everywhere possible labels Mar 16, 2026
@AppVeyorBot
Copy link
Copy Markdown

AppVeyorBot commented Mar 16, 2026

Build nut 2.8.4.4333-master failed (commit 543d2bde30 by @jimklimov)

@jimklimov
scripts/python/module/*: add basic support for STARTTLS [networkupsto…
1c29bee 
…ols#1711, networkupstools#3329, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
scripts/python/module/*: add STARTTLS configurability (force, verify,…
d0b3243 
… key/cert file locations) [networkupstools#1711, networkupstools#3329, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: add SSL support into tests for PyNUTClient [network…
e11cb62 
…upstools#1711, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
NEWS.adoc: document PyNUTClient extension to use STARTTLS and added N…
1ceb24f 
…IT tests [networkupstools#1711, networkupstools#3329, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov jimklimov added the AI For good or bad, machine tools are upon us. Humans are still the responsible ones. label Mar 18, 2026
@jimklimov
Copy link
Copy Markdown
Member Author

jimklimov commented Mar 18, 2026

Seems python-3.13+ includes much stricter rules about certificate validation, and we generate something not up to its spec (not all extensions it wants) at least for the CA certificate.

@jimklimov
tests/NIT/nit.sh: setenv_ssl_python(): fix NUT_FORCESSL and NUT_CERTV…
81d84fc 
…ERIFY to be numbers [networkupstools#1711, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
scripts/python/module/*: introduce support for NUT_KEYPASS (envvar an…
c5da033 
…d python OpenSSL handling) [networkupstools#1600, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
scripts/python/module/test_nutclient.py.in: fix NUT_FORCESSL and NUT_…
571cb4f 
…CERTVERIFY to accept numbers [networkupstools#1711, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: extend rootca.pem generation with common extensions…
fa46c96 
… required nowadays by many crypto implementations [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: remove TESTCERT_PATHs before setting them up [netwo…
14a44a8 
…rkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: get_group_id(): always return a number (even if -1)
a0fbe94 
Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: setenv_ssl_python(): fix typos in message [networku…
7c15548 
…pstools#1600, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@AppVeyorBot
Copy link
Copy Markdown

AppVeyorBot commented Mar 18, 2026

Build nut 2.8.4.4347-master failed (commit d8cf826813 by @jimklimov)

@jimklimov
tests/NIT/nit.sh, tests/NIT/Makefile.am: when generating test certifi…
6ab404b 
…cates, exit() upon errors; invert WITHOUT_SSL_TESTS=>WITH_SSL_TESTS with more options [networkupstools#1711]

Support now `make check-NIT WITH_SSL_TESTS=required-conditional` to fail
fast if crypto material setup failed (ignored if built without SSL).

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: use "openssl req -config" instead of "-extfile" for…
b186a6b 
… self-signed CA cert [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: add localhost IP addresses as DNS.* aliases, for ol…
05834c6 
…der Python libs [networkupstools#1711, networkupstools#1600]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh, tests/NIT/Makefile.am: add support for WITH_SSL_TES…
a4ca413 
…TS=required (to abort if NUT was built without SSL support) [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: abort if WITH_SSL_TESTS=required-conditional (and N…
43c6ec8 
…UT was built with SSL support) but needed third-party tooling was not found for SSL setup [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
docs/config-prereqs.txt: add openssl and nss tools as footprint for F…
804dd76 
…edora 43 setup [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov jimklimov moved this to In Progress in NUT QA Mar 19, 2026
@jimklimov jimklimov merged commit 26c9c19 into networkupstools:master Mar 20, 2026
66 of 67 checks passed
@jimklimov jimklimov deleted the pynut-ssl branch March 20, 2026 19:03
@jimklimov jimklimov moved this from In Progress to Done in NUT QA Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

AI For good or bad, machine tools are upon us. Humans are still the responsible ones. CI Entries related to continuous integration infrastructure (here CI = tools + scripts + recipes) enhancement portability We want NUT to build and run everywhere possible python SSL/NSS Issues and PRs about SSL, TLS and other crypto-related matters

Projects

NUT QA
Status: Done

Milestone

2.8.5

Development

Successfully merging this pull request may close these issues.

2 participants

@jimklimov @AppVeyorBot