@@ -72,6 +72,29 @@ https://github.com/networkupstools/nut/milestone/13
7272 query (for protocol version) to verify that handshake succeeded.
7373 This change impacted also the classic C `libupsclient` library.
7474 [issue #3387, PR #3402]
75+ * Updated OpenSSL code paths in the `libupsclient` C library to support
76+ features earlier only available with NSS builds, like specifying the
77+ client certificate+key, optionally with password, and pinning expected
78+ server certificates. For both backends such pinning should now honour
79+ the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
80+ connection attempt if that number is '0'). [issue #3331]
81+ * Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
82+ (optional validation of clients identified by a certificate) also
83+ when built with OpenSSL, optionally using the `CERTPATH` with a
84+ collection of CA certificates (directory or a big PEM file).
85+ Also support `CERTIDENT` to provide a private key password and ensure
86+ that the certificate in `CERTFILE` has an expected subject name as an
87+ exact string, or that its CN or SAN match the provided string as a
88+ standard expression of host name (section 3.5 of RFC 1034) or IP address.
89+ [issue #3331]
90+ * The `libupsclient` API was extended with a `upscli_init2()` method which
91+ allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
92+ * The `libupsclient` (C) and `libnutclient` (C++) API were updated to
93+ report the ability to check `CERTIDENT` information. [#3331]
94+
95+ - `upsmon` client updates:
96+ * Introduced support for `CERTFILE` option, so the client can identify
97+ itself to the data server also in OpenSSL builds. [issue #3331]
7598
7699
77100Release notes for NUT 2.8.5 - what's new since 2.8.4
0 commit comments