Merge 34ddb93 into db633d1

Author: jimklimov

NEWS.adoc

@@ -110,6 +110,31 @@ https://github.com/networkupstools/nut/milestone/13
       allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
     * The `libupsclient` (C) and `libnutclient` (C++) API were updated to
       report the ability to check `CERTIDENT` information. [#3331]
+    * Introduced support for "authconf" files to store and convey NUT client
+      authentication details. [issue #3329]
+
+ - `upsc`, `upscmd`, `upsrw` command-line client updates:
+    * Enabled support for `nutauth.conf` files to provide credentials and/or
+      SSL settings in the client which previously only did best-effort attempts
+      at secure communications without an individual certificate, and only
+      anonymously for reading. The new `-A filename` option defaults to trying
+      to use a `nutauth.conf` file (if found in one of the default locations)
+      but not failing if one is not usable; specific values can require use of
+      such a file (`default`) or to not even try reading one (`none`).
+      [issues #3329, #3411]
+
+ - `upslog` client/tool updates:
+    * Added support for best-effort use of `nutauth.conf` files from default
+      locations or via `-A` option, as described above. Since this client
+      can establish multiple connections, keep in mind that currently it
+      can only identify itself with some one (first seen) client certificate,
+      if `CERTIDENT` settings are used. Multiple `CERTHOST` directives for
+      specially trusted servers can be used. [#3329]
+
+ - `upsstats`, `upsset`, `upsimage` CGI client updates:
+    * Added support for best-effort use of `nutauth.conf` files from default
+      locations described above (no way to choose the location, other than
+      by web-server environment variables for CGI calls). [#3329]
 
  - `upsmon` client updates:
     * Introduced support for `CERTFILE` option, so the client can identify
@@ -134,6 +159,9 @@ https://github.com/networkupstools/nut/milestone/13
       much later (tell the sysadmin to increase `ulimit` or set up a more
       conservative `MAXCONN`). If there is a separate soft and hard limit,
       and `MAXCONN` exceeds the soft limit, try to raise the bar. [issue #3365]
+    * If SSL configuration was provided, but the server failed to apply some
+      aspect of that, it should now abort with an explanation (and not proceed
+      with insecure start-up like it could do before). [issue #3331, PR #3435]
 
  - Recipes, CI and helper script updates not classified above:
     * Introduced `ci_build.sh` settings and respective CI workflow settings

UPGRADING.adoc

@@ -46,6 +46,22 @@ Changes from 2.8.5 to 2.8.6
   if the requested value is larger than what is allowed (minus some reserve
   for configuration files and other use-cases). [issue #3365]
 
+- `upsd` data server updates:
+    * If SSL configuration was provided, but the server failed to apply some
+      aspect of that, it should now abort with an explanation (and not proceed
+      with insecure start-up like it could do before). [issue #3331, PR #3435]
+
+- Enabled support for `nutauth.conf` files to provide credentials and/or
+  SSL settings in clients which previously only did best-effort attempts at
+  secure communications without an individual certificate, and only anonymously
+  for reading like `upsc`.
++
+The new `-A filename` option defaults to trying to use a `nutauth.conf` file
+  (if found in one of the default locations) but not failing if one is not
+  usable; specific values can require use of such a file or to not even try
+  reading one ('none' as the legacy default). See the updated manual pages
+  for more details. [issues #3329, #3411]
+
 
 Changes from 2.8.4 to 2.8.5
 ---------------------------

clients/Makefile.am

@@ -110,7 +110,7 @@ endif HAVE_CXX11
 
 # Optionally deliverable as part of NUT public API:
 if WITH_DEV
- include_HEADERS = upsclient.h
+ include_HEADERS = upsclient.h authconf.h
 if HAVE_CXX11
  include_HEADERS += nutclient.h nutclientmem.h
 else !HAVE_CXX11
@@ -170,7 +170,7 @@ upsstats_cgi_LDADD = $(LDADD_CLIENT) $(top_builddir)/common/libcommonstrjson.la
 # but it needs nut_version.h made before the rest of build,
 # to include it into upsclient.c (without an explicit link,
 # this target is sometimes missed in parallel builds):
-libupsclient_la_SOURCES = upsclient.c upsclient.h
+libupsclient_la_SOURCES = upsclient.c upsclient.h authconf.c authconf.h
 
 # See comments for similar trick in common/Makefile.am for common-nut_version.c
 if BUILDING_IN_TREE