networkupstools
diff --git a/‎Makefile.am‎
Lines changed: 2 additions & 1 deletion b/‎Makefile.am‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎NEWS.adoc‎
Lines changed: 23 additions & 0 deletions b/‎NEWS.adoc‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎clients/nutclient.cpp‎
Lines changed: 165 additions & 19 deletions b/‎clients/nutclient.cpp‎
Lines changed: 165 additions & 19 deletions
diff --git a/‎clients/nutclient.h‎
Lines changed: 21 additions & 10 deletions b/‎clients/nutclient.h‎
Lines changed: 21 additions & 10 deletions
@@ -874,7 +874,8 @@ SET_PARMAKES_OPT = \
 			fi ; \
 			PARMAKES_OPT="-j $${MAXPARMAKES}" ; \
 		;; \
-	esac
+	esac ; \
+	if [ x"$${V}$(V)" = x ]; then PARMAKES_OPT="$${PARMAKES_OPT} V=0" ; fi
 
 all-quick: @dotMAKE@
 	+@$(SET_PARMAKES_OPT); \
 
@@ -60,6 +60,29 @@ https://github.com/networkupstools/nut/milestone/13
       query (for protocol version) to verify that handshake succeeded.
       This change impacted also the classic C `libupsclient` library.
       [issue #3387, PR #3402]
+    * Updated OpenSSL code paths in the `libupsclient` C library to support
+      features earlier only available with NSS builds, like specifying the
+      client certificate+key, optionally with password, and pinning expected
+      server certificates. For both backends such pinning should now honour
+      the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
+      connection attempt if that number is '0'). [issue #3331]
+    * Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
+      (optional validation of clients identified by a certificate) also
+      when built with OpenSSL, optionally using the `CERTPATH` with a
+      collection of CA certificates (directory or a big PEM file).
+      Also support `CERTIDENT` to provide a private key password and ensure
+      that the certificate in `CERTFILE` has an expected subject name as an
+      exact string, or that its CN or SAN match the provided string as a
+      standard expression of host name (section 3.5 of RFC 1034) or IP address.
+      [issue #3331]
+    * The `libupsclient` API was extended with a `upscli_init2()` method which
+      allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
+    * The `libupsclient` (C) and `libnutclient` (C++) API were updated to
+      report the ability to check `CERTIDENT` information. [#3331]
+
+ - `upsmon` client updates:
+    * Introduced support for `CERTFILE` option, so the client can identify
+      itself to the data server also in OpenSSL builds. [issue #3331]
 
 
 Release notes for NUT 2.8.5 - what's new since 2.8.4
 
@@ -61,8 +61,11 @@
 #endif
 
 #define UPSCLI_SSL_CAPS_NONE	0	/* No ability to use SSL */
-#define UPSCLI_SSL_CAPS_OPENSSL	1	/* Can use OpenSSL-specific setup */
-#define UPSCLI_SSL_CAPS_NSS	2	/* Can use Mozilla NSS-specific setup */
+#define UPSCLI_SSL_CAPS_OPENSSL	(1 << 0)	/* Can use OpenSSL-specific setup */
+#define UPSCLI_SSL_CAPS_NSS	(1 << 1)	/* Can use Mozilla NSS-specific setup */
+#define UPSCLI_SSL_CAPS_CERTIDENT_PASS (1 << 2)	/* Can use CERTIDENT (verify private key password)    */
+#define UPSCLI_SSL_CAPS_CERTIDENT_NAME (1 << 3)	/* Can use CERTIDENT (verify cert name)    */
+#define UPSCLI_SSL_CAPS_CERTIDENT (UPSCLI_SSL_CAPS_CERTIDENT_PASS | UPSCLI_SSL_CAPS_CERTIDENT_NAME)
 
 
 namespace nut
@@ -109,22 +112,25 @@ class SSLConfig_OpenSSL : public SSLConfig
 	SSLConfig_OpenSSL(bool force_ssl = false, int certverify = -1,
 		const std::string& ca_path = "", const std::string& ca_file = "",
 		const std::string& cert_file = "", const std::string& key_file = "",
-		const std::string& key_pass = "")
+		const std::string& key_pass = "", const std::string& certident_name = "")
 		: SSLConfig(force_ssl, certverify), _ca_path(ca_path), _ca_file(ca_file),
-		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass) {}
+		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass),
+		  _certident_name(certident_name) {}
 
 	SSLConfig_OpenSSL(bool force_ssl, int certverify,
 		const char *ca_path, const char *ca_file,
 		const char *cert_file, const char *key_file,
-		const char *key_pass)
+		const char *key_pass, const char *certident_name = nullptr)
 		: SSLConfig(force_ssl, certverify), _ca_path(ca_path), _ca_file(ca_file),
-		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass) {}
+		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass),
+		  _certident_name(certident_name) {}
 
 	const std::string& getCAPath() const { return _ca_path; }
 	const std::string& getCAFile() const { return _ca_file; }
 	const std::string& getCertFile() const { return _cert_file; }
 	const std::string& getKeyFile() const { return _key_file; }
 	const std::string& getKeyPass() const { return _key_pass; }
+	const std::string& getCertIdentName() const { return _certident_name; }
 
 	virtual void apply(TcpClient& client) const override;
 
@@ -134,6 +140,7 @@ class SSLConfig_OpenSSL : public SSLConfig
 	std::string _cert_file;
 	std::string _key_file;
 	std::string _key_pass;
+	std::string _certident_name;
 };
 
 /**
@@ -826,8 +833,9 @@ class TcpClient : public Client
 	 * \param cert_file Path to a client certificate file (PEM format for OpenSSL) or nickname (NSS).
 	 * \param key_file Path to a client private key file (PEM format for OpenSSL).
 	 * \param key_pass Optional passphrase to decrypt the private key.
+	 * \param certident_name Expected name in the client certificate (CN or SAN).
 	 */
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name = nullptr);
 
 	/**
 	 * Set SSL configuration for OpenSSL.
@@ -838,8 +846,9 @@ class TcpClient : public Client
 	 * \param cert_file Path to a client certificate file (PEM format for OpenSSL) or nickname (NSS).
 	 * \param key_file Path to a client private key file (PEM format for OpenSSL).
 	 * \param key_pass Optional passphrase to decrypt the private key.
+	 * \param certident_name Expected name in the client certificate (CN or SAN).
 	 */
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name = "");
 
 	/**
 	 * Set SSL configuration for Mozilla NSS
@@ -1486,11 +1495,13 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(
 	const char* host, uint16_t port, int try_ssl,
 	int force_ssl, int certverify,
 	const char *ca_path, const char *ca_file,
-	const char *cert_file, const char *key_file, const char *key_pass);
+	const char *cert_file, const char *key_file,
+	const char *key_pass, const char *certident_name);
 void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client,
 	int force_ssl, int certverify,
 	const char *ca_path, const char *ca_file,
-	const char *cert_file, const char *key_file, const char *key_pass);
+	const char *cert_file, const char *key_file,
+	const char *key_pass, const char *certident_name);
 
 NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_NSS(
 	const char* host, uint16_t port, int try_ssl,