Identify SSL support in upsd and libupsclient, add NIT tests for OpenSSL and Mozilla NSS

[jimklimov]

Closes: #3328
Largely fulfills #1711 (for the C client tests, but not for other ecosystems like C++ and Python)

[jimklimov]

• upsmon with NSS (confirms server cert, but server not built to check client cert so not checking that):

Thu Feb 26 18:12:06 UTC 2026 [DEBUG] execcmd: running:   upsmon -FF
Network UPS Tools upsmon 2.8.4.1454.17-1471+g47eedafa1 (development iteration after 2.8.4)
UPS: dummy@localhost:12345 (monitoring only)
No POWERDOWNFLAG value was configured in /home/jim/nut/tests/NIT/tmp/etc/upsmon.conf!
POWERDOWNFLAG should be a path to file that is normally writeable for root user, and remains at least readable late in shutdown after all unmounting completes.
upsmon: initialized OS integration for sleep inhibitor
upsmon: initialized OS integration for sleep/wake monitoring
Connecting in SSL to 'localhost' and look at certificate called 'NIT data server'
Intend to authenticate server localhost : SUCCESS
SSL handshake done successfully with server localhost
Connected to NUT server localhost in SSL
SSL handshake done successfully with client 127.0.0.1
User dummy-admin-m@127.0.0.1 logged into UPS [dummy] (SSL)
UPS dummy@localhost:12345 on battery
Thu Feb 26 18:12:06 UTC 2026: /home/jim/nut/clients/upssched-cmd: THIS IS A SAMPLE SCRIPT, PLEASE TAILOR IT FOR YOUR DEPLOYMENT OF NUT!
Thu Feb 26 18:12:06 UTC 2026: UPSNAME='dummy@localhost:12345'   NOTIFYTYPE='ONBATT'     NOTIFYMSG=''    args=ONBATT-HANDLER
Thu Feb 26 18:12:08 UTC 2026 [DEBUG] [sandbox] UPSMON PID 359584 is alive after a short while

• upsc with NSS (does not care who it talks to, see Feature request: more NUT clients should be SSL-capable with proper certificate trust and all #3329)

Thu Feb 26 18:12:05 UTC 2026 [DEBUG] execcmd: running:   upsc dummy@localhost:12345
Connecting in SSL to 'localhost' (no certificate name specified)
Do not intend to authenticate server localhost
SSL handshake done successfully with server localhost
Connected to NUT server localhost in SSL
Certificate verification is disabled
Thu Feb 26 18:12:06 UTC 2026 [INFO] [testcase_sandbox_start_drivers_after_upsd] Got output:
device.mfr: Dummy Manufacturer
...

• nut-scanner with NSS:

================================
Thu Feb 26 18:08:55 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] Call libupsclient test suite: nut-scanner on localhost:35012
Thu Feb 26 18:08:55 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] Preparing LD_LIBRARY_PATH='/home/jim/nut/clients:/home/jim/nut/clients/.libs'
SSL handshake done successfully with client 127.0.0.1
Thu Feb 26 18:08:55 UTC 2026 [DEBUG] execcmd: asked for: /home/jim/nut/tools/nut-scanner/nut-scanner -m 127.0.0.1/32 -O -p 35012
Thu Feb 26 18:08:55 UTC 2026 [DEBUG] execcmd: running:   /home/jim/nut/tools/nut-scanner/nut-scanner -m 127.0.0.1/32 -O -p 35012
Scanning NUT bus (old libupsclient connect method).
Connecting in SSL to '127.0.0.1' (no certificate name specified)
Do not intend to authenticate server 127.0.0.1
SSL handshake done successfully with server 127.0.0.1
Connected to NUT server 127.0.0.1 in SSL
Certificate verification is disabled
Thu Feb 26 18:08:55 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] findings from nut-scanner:
[nutdev-nut1]
        driver = "dummy-ups"
        port = "dummy@127.0.0.1:35012"
[nutdev-nut2]
        driver = "dummy-ups"
        port = "UPS1@127.0.0.1:35012"
[nutdev-nut3]
        driver = "dummy-ups"
        port = "UPS2@127.0.0.1:35012"
Thu Feb 26 18:08:55 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] inspecting these findings from nut-scanner...
Thu Feb 26 18:08:55 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] PASSED: nut-scanner found all expected devices

[jimklimov]

• upsmon (has proper SSL code) with OpenSSL does complain about something (TODO: investigate; UPDATE: CERTPATH location was not populated with hash-named symlinks to CA PEM files):

:; make check-NIT-sandbox-devel
...

Thu Feb 26 18:23:18 UTC 2026 [DEBUG] execcmd: running:   upsmon -FF
Network UPS Tools upsmon 2.8.4.1454.17-1471+g47eedafa1 (development iteration after 2.8.4)
UPS: dummy@localhost:12345 (monitoring only)
No POWERDOWNFLAG value was configured in /home/jim/nut/tests/NIT/tmp/etc/upsmon.conf!
POWERDOWNFLAG should be a path to file that is normally writeable for root user, and remains at least readable late in shutdown after all unmounting completes.
upsmon: initialized OS integration for sleep inhibitor
upsmon: initialized OS integration for sleep/wake monitoring
Unknown return value from SSL_accept: Success
ssl_error() ret=-1 SSL_ERROR 1
Can not connect to NUT server localhost in SSL, disconnect
UPS [dummy@localhost:12345]: connect failed: SSL error: error:0A000197:SSL routines::shutdown while in init
Communications with UPS dummy@localhost:12345 lost
Thu Feb 26 18:23:18 UTC 2026: /home/jim/nut/clients/upssched-cmd: THIS IS A SAMPLE SCRIPT, PLEASE TAILOR IT FOR YOUR DEPLOYMENT OF NUT!
Thu Feb 26 18:23:18 UTC 2026: UPSNAME='dummy@localhost:12345'   NOTIFYTYPE='COMMBAD'    NOTIFYMSG=''    args=COMMBAD-INFO
Thu Feb 26 18:23:20 UTC 2026 [DEBUG] [sandbox] UPSMON PID 402534 is alive after a short while
...
ssl_error() ret=-1 SSL_ERROR 1
Can not connect to NUT server localhost in SSL, disconnect
Unknown return value from SSL_accept: Success
UPS [dummy@localhost:12345]: connect failed: SSL error: error:0A000197:SSL routines::shutdown while in init
UPS dummy@localhost:12345 is unavailable
Thu Feb 26 18:23:23 UTC 2026: /home/jim/nut/clients/upssched-cmd: THIS IS A SAMPLE SCRIPT, PLEASE TAILOR IT FOR YOUR DEPLOYMENT OF NUT!
Thu Feb 26 18:23:23 UTC 2026: UPSNAME='dummy@localhost:12345'   NOTIFYTYPE='NOCOMM'     NOTIFYMSG=''    args=NOCOMM-HANDLER
ssl_error() ret=-1 SSL_ERROR 1
Unknown return value from SSL_accept: Success
Can not connect to NUT server localhost in SSL, disconnect
UPS [dummy@localhost:12345]: connect failed: SSL error: error:0A000197:SSL routines::shutdown while in init
... (Ctrl+S paused output and programs)
ssl_error() ret=-1 SSL_ERROR 1
Unknown return value from SSL_accept: Success
Can not connect to NUT server localhost in SSL, disconnect
Data for UPS [dummy] is stale - check driver
Data for UPS [UPS1] is stale - check driver
UPS [dummy@localhost:12345]: connect failed: SSL error: error:0A000197:SSL routines::shutdown while in init
Data for UPS [UPS2] is stale - check driver
UPS [dummy] data is no longer stale
UPS [UPS1] data is no longer stale
UPS [UPS2] data is no longer stale
...
Unknown return value from SSL_accept: Success
ssl_error() ret=-1 SSL_ERROR 1
Can not connect to NUT server localhost in SSL, disconnect
UPS [dummy@localhost:12345]: connect failed: SSL error: error:0A000197:SSL routines::shutdown while in init
ssl_error() ret=-1 SSL_ERROR 1
...

• relevant part of upsmon.conf generated for the test:

# OpenSSL CERTPATH: Directory with PEM file(s), looked up by the
#  CA subject name hash value (which must include our NUT server).
#  Here we just use the path for PEM file that should be populated
#  by the generatecfg_upsd_add_SSL() method.
# We only support CERTPATH (to recognize servers), FORCESSL and
# CERTVERIFY in OpenSSL builds.
CERTPATH "/home/jim/nut/tests/NIT/tmp/etc/cert/upsmon"
# With OpenSSL this is the only way to configure these behaviors,
# no CERTHOST setting here so far:
FORCESSL 1
CERTVERIFY 1

• relevant part of upsd.conf generated for the test:

# OpenSSL CERTFILE: PEM file with data server cert, possibly the
# intermediate and root CA's, and finally corresponding private key
CERTFILE "/home/jim/nut/tests/NIT/tmp/etc/cert/upsd/upsd.pem"

• upsc with OpenSSL:

Thu Feb 26 18:21:26 UTC 2026 [INFO] [testcase_sandbox_start_drivers_after_upsd] Query driver state from UPSD by UPSC after driver startup
Connected to NUT server localhost in SSL
Certificate verification is disabled
Thu Feb 26 18:21:26 UTC 2026 [INFO] [testcase_sandbox_start_drivers_after_upsd] Got output:
device.mfr: Dummy Manufacturer
...

• nut-scanner with OpenSSL:

================================
Thu Feb 26 18:21:33 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] Call libupsclient test suite: nut-scanner on localhost:34966
Thu Feb 26 18:21:33 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] Preparing LD_LIBRARY_PATH='/home/jim/nut/clients:/home/jim/nut/clients/.libs'
Scanning NUT bus (old libupsclient connect method).
Connected to NUT server 127.0.0.1 in SSL
Certificate verification is disabled
Thu Feb 26 18:21:33 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] findings from nut-scanner:
[nutdev-nut1]
        driver = "dummy-ups"
        port = "dummy@127.0.0.1:34966"
[nutdev-nut2]
        driver = "dummy-ups"
        port = "UPS1@127.0.0.1:34966"
[nutdev-nut3]
        driver = "dummy-ups"
        port = "UPS2@127.0.0.1:34966"
Thu Feb 26 18:21:33 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] inspecting these findings from nut-scanner...
Thu Feb 26 18:21:33 UTC 2026 [INFO] [testcase_sandbox_nutscanner_list] PASSED: nut-scanner found all expected devices

[AppVeyorBot]

❌ Build nut 2.8.4.4263-master failed (commit 8f68fa9f9c by @jimklimov)

[AppVeyorBot]

✅ Build nut 2.8.4.4267-master completed (commit 47c3b5dc77 by @jimklimov)

[AppVeyorBot]

✅ Build nut 2.8.4.4291-master completed (commit 5b73154058 by @jimklimov)