Skip to content

Enhance libnutclient (C++) with SSL (NUT STARTTLS) support and test it#3353

Merged
jimklimov merged 39 commits intonetworkupstools:masterfrom
jimklimov:cpp-ssl
Mar 21, 2026
Merged

Enhance libnutclient (C++) with SSL (NUT STARTTLS) support and test it#3353
jimklimov merged 39 commits intonetworkupstools:masterfrom
jimklimov:cpp-ssl

Conversation

@jimklimov
Copy link
Member

@jimklimov jimklimov commented Mar 18, 2026
edited
Loading

Addresses at least parts of:

Adds various improvements to the NIT script along the way.

AI DISCLAIMER: Prepared with contributions from IntelliJ Junie, mostly to speed up repetitive coding patterns like getters/setters.

@jimklimov jimklimov added this to the 2.8.5 milestone Mar 18, 2026
@jimklimov jimklimov added enhancement documentation C++ SSL/NSS Issues and PRs about SSL, TLS and other crypto-related matters AI For good or bad, machine tools are upon us. Humans are still the responsible ones. labels Mar 18, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 18, 2026
View reviewed changes
@jimklimov jimklimov force-pushed the cpp-ssl branch 4 times, most recently from b753ab2 to 9ae929f Compare March 18, 2026 13:41
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 18, 2026
View reviewed changes
@jimklimov jimklimov force-pushed the cpp-ssl branch 4 times, most recently from 7329d62 to d0cb3f2 Compare March 18, 2026 15:30
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 19, 2026
View reviewed changes
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
@jimklimov jimklimov added this to NUT QA Mar 19, 2026
@jimklimov jimklimov moved this to In Progress in NUT QA Mar 19, 2026
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
@jimklimov
Copy link
Member Author

jimklimov commented Mar 20, 2026
edited
Loading

Some troubles remain with certificate setup:

  • Segfault not propagated as a tooling failure:
/net/donutci-openbsd-65-amd64/var/shm/jenkins-donutci-openbsd-65-amd64/nut_nut_PR-3353/tests/NIT/nit.sh:
  line 959:  7503 Segmentation fault      (core dumped)
    certutil -A -d . -f .pwfile -n "${TESTCERT_SERVER_NAME}" -a -i server.crt -t ",,"
  • Duplicate serial?
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
-rw------- 1 abuild abuild 28672 Mar 20 11:05 /dev/shm/jenkins-nutci/nut_nut_PR-3353/obj/tests/NIT/tmp/etc/cert/upsd/cert9.db
-rw------- 1 abuild abuild 36864 Mar 20 11:05 /dev/shm/jenkins-nutci/nut_nut_PR-3353/obj/tests/NIT/tmp/etc/cert/upsd/key4.db
-rw------- 1 abuild abuild   408 Mar 20 11:05 /dev/shm/jenkins-nutci/nut_nut_PR-3353/obj/tests/NIT/tmp/etc/cert/upsd/pkcs11.txt
Fri Mar 20 11:05:04 UTC 2026 [INFO] SSL: Preparing test client certificate...
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

...
##Failure Location unknown## : Error
Test name: nut::NutActiveClientTest::test_query_ver
uncaught exception of type std::exception (or derived).
- STARTTLS failed: ERR FEATURE-NOT-CONFIGURED

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 20, 2026
View reviewed changes
@AppVeyorBot

This comment was marked as outdated.

Sign in to view
jimklimov added 16 commits March 20, 2026 22:18
@jimklimov
tests/cpputest-client.cpp: report SSL setup before connection attempt…
ea1086e 
… (which can throw exceptions) [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
libnutclient (C++): introduce nutclient_tcp_get_ssl_caps() and TcpCli…
65d311a 
…ent::getSslCaps() [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/NIT/nit.sh: separate setenv_ssl_cppnit() from setenv_ssl_python…
d863330 
…() [networkupstools#1599, networkupstools#1600, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/cpputest-client.cpp: refactor with setupClientSSL(); support KE…
61e3bc2 
…Y_PASS [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/cpputest-client.cpp: ingest envvars for setSSLConfig_NSS() [net…
cf56f99 
…workupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
configure.ac: support --with-ssl=(nss|openssl) as used in GitHub acti…
99f2618 
…ons for a while but in vain [networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
libnutclient (C++): introduce key_pass and its OpenSSL handling; sepa…
2e0525b 
…rate config/autocall methods for OpenSSL and NSS [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
docs/man/Makefile.am: fix LIBNUTCLIENT_TCP_DEPS which can get generat…
7a5dc2e 
…ed empty [networkupstools#1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
configure.ac: fix C++ builds in Termux environment [networkupstools#1599
5ba53dd 
, networkupstools#1711]

Inspired by termux/termux-packages#23578
and https://github.com/termux/termux-packages/pulls/23579

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.cpp: fix some NULL=>nullptr cases [networkupstools#…
b8b0929 
…1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
docs/man/Makefile.am: refactor with $(LIBNUTCLIENT_TCP_DEPS_SUB) [net…
bc05d1f 
…workupstools#1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
tests/Makefile.am: add LIBSSL_LIBS to consumers of libnutclient [netw…
3bd9ac4 
…orkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.{cpp,h}, docs, tests: there is no separate CERTIDEN…
eeb31ef 
…T_PASS in NSS; there is a database prefix however [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.{cpp,h}: drop TcpClient constructors with a list of…
9774c48 
… options for (Open)SSL [networkupstools#1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.{cpp,h}: introduce the SSLConfig helper class famil…
8b4b7a1 
…y to future-proof passing OpenSSL or NSS (or other backend) options to TcpClient::setSSLConfig() and constructor [networkupstools#1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.h, tests/cpputest-client.cpp: hide setSSLConfig_NSS…
d12af9f 
…()/setSSLConfig_OpenSSL() backend-specific methods (APIs may evolve, SSLConfig classes should be more flexible) [networkupstools#1599, networkupstools#1711]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 20, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 20, 2026
View reviewed changes
@jimklimov
clients/nutclient.h: use a simpler way to construct SSLConfig* from c…
7f147cb 
…har* (even if nullptr) [networkupstools#1599]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov
clients/nutclient.cpp, tests/cpputest-client.cpp: per CodeQL, "new" m…
2956cc6 
…ay be toxic in this context [networkupstools#1599, networkupstools#3353]

Warning
Incorrect allocation-error handling
This allocation cannot return null. This check is unnecessary.

cpp/incorrect-allocation-error-handling:

Different overloads of the new operator handle allocation failures in different ways. If new T fails for some type T, it throws a std::bad_alloc exception, but new(std::nothrow) T returns a null pointer. If the programmer does not use the corresponding method of error handling, allocation failure may go unhandled and could cause the program to behave in unexpected ways.

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
jimklimov added a commit to jimklimov/nut that referenced this pull request Mar 21, 2026
@jimklimov
NEWS.adoc: Adjusted C++ header search path on Termux [networkupstools…
39e3f8c 
…#3353]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov jimklimov merged commit 1211c56 into networkupstools:master Mar 21, 2026
67 checks passed
@jimklimov jimklimov deleted the cpp-ssl branch March 21, 2026 21:07
jimklimov added a commit to jimklimov/nut that referenced this pull request Mar 22, 2026
@jimklimov
NEWS.adoc: Adjusted C++ header search path on Termux [networkupstools…
b47cf64 
…#3353]

Signed-off-by: Jim Klimov <jimklimov+nut@gmail.com>
@jimklimov jimklimov mentioned this pull request Mar 22, 2026
Open
@jimklimov jimklimov moved this from In Progress to Done in NUT QA Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

AI For good or bad, machine tools are upon us. Humans are still the responsible ones. C++ documentation enhancement SSL/NSS Issues and PRs about SSL, TLS and other crypto-related matters

Projects

NUT QA
Status: Done

Milestone

2.8.5

Development

Successfully merging this pull request may close these issues.

2 participants

@jimklimov @AppVeyorBot