Identify SSL support in upsd and libupsclient, add NIT tests for OpenSSL and Mozilla NSS

Makefile.am

@@ -250,6 +250,7 @@ all-libs-local/common: all-libs-local/include @dotMAKE@
 ### Delivers: libupsclient.la libnutclient.la libnutclientstub.la
 ### Delivers: libupsclient-version.h
 ### LIB-Requires-ext: common/libcommonclient.la
+### Requires-ext: include/nut_version.h
 ### Requires-ext: common/libcommon.la common/libcommonclient.la
 ### Requires-ext: common/libcommonversion.la
 ### Requires-ext: common/libparseconf.la

NEWS.adoc

@@ -3,7 +3,12 @@ NUT Release Notes
 =================
 endif::txt[]
 
-If you're upgrading from an earlier version, see the link:UPGRADING.adoc[] file.
+This document summarizes the practical side of changes coming with each
+newer release development, as compared to the preceding release.
+
+If you're upgrading from an earlier version, or are a package maintainer,
+please see also the link:UPGRADING.adoc[] file about anticipated impacts
+of ongoing development on existing deployments and third-party consumers.
 
 Please note that web and source document links, product and service names
 listed in historic entries of past releases may no longer be relevant.
@@ -104,6 +109,16 @@ https://github.com/networkupstools/nut/milestone/12
      characters. Now it is evaluated at `configure` time (to check that the
      characters may be used), and if not -- during `nut_stdint.h` parsing to
      fit known `int`/`long`/`long long` types. [#3300]
+   * Added new API methods and defined bitmap values for `libupsclient`
+     C binding to query and report SSL capabilities of the current library
+     build (none, OpenSSL, Mozilla NSS): `upscli_ssl_caps_descr()` and
+     `upscli_ssl_caps()`. Updated common NUT clients to report this info
+     in their detailed help banners. Done similarly for `upsd`. The NIT
+     (NUT Integration Test) suite piggy-backs on this to add run-time
+     dependent tests of SSL capability. Added `upscli_set_debug_level()`
+     and `upscli_set_debug_level()` methods to facilitate NUT debugging
+     for clients built with shared NUT private libraries. [issues #3328,
+     #1771, #2800, PR #3330]
 
  - NUT for Windows specific updates:
    * Revised detection of (relative) paths to program and configuration files
@@ -302,6 +317,11 @@ https://github.com/networkupstools/nut/milestone/12
      or Windows `HANDLE`'s at a time, and moving on to another chunk.
      The system-provided value can be further limited by `NUT_SYSMAXCONN_LIMIT`
      environment variable (e.g. in tests). [#3302]
+   * Extended processing of `CERTREQUEST` setting to handle numeric or specific
+     string values, to match both ways of reading ambiguous documentation.
+     Added `configure --with-ssl-client-validation` toggle to expose the
+     macro previously meant to be passed via `make` command line. [PR #3330,
+     but beware issue #3329]
 
  - `upsdrvctl` tool updates:
    * Make use of `setproctag()` and `getproctag()` to report parent/child
@@ -530,6 +550,10 @@ several `FSD` notifications into one executed action. [PR #3097]
    * Dropped the `compile` script from Git sources. It originates from automake
      and is added to work area (if missing) during `autogen.sh` rituals anyway.
      It is still distributed as part of `make dist` tarball. [#1209]
+   * Extended `ci_build.sh` and `build-mingw-nut.sh` so that certain values
+     of `NUT_SSL_VARIANTS=[yes, no, auto, ssl, nss, openssl]` can be used
+     with generic builds to test a specific code path and not only the
+     auto-detected one. [#1711]
 
  - Upstreamed reference packaging recipes (DEB, RPM) from the 42ITy project
    which can be used with OBS (Open Build Service by SUSE), both to support

UPGRADING.adoc

@@ -4,8 +4,15 @@ Upgrading notes
 endif::txt[]
 
 This file lists changes that affect users who installed older versions
-of this software.  When upgrading from an older version, be sure to
-check this file to see if you need to make changes to your system.
+of this software, or third-party integrations and library or data consumers.
+When upgrading from an older NUT version, be sure to check this file to
+see if you need to make changes to your system.
+
+We welcome feedback from package maintainers -- if you had to patch something
+out, or work around something in NUT code or recipes, please let us know in
+the issue tracker. Chances are, other distributions feel your pain, and some
+generalized solution belongs in the upstream project as an easy to use build
+configuration toggle to be shared by all interested downstream projects.
 
 [NOTE]
 ======
@@ -35,6 +42,10 @@ Changes from 2.8.4 to 2.8.5
   library files to deliver with the packages (formally versioned and
   named by NUT release semantic version triplet). [issue #2800]
 
+- Related to the above, `libupsclient` will remove the exported symbol for
+  `nut_debug_level` variable in a later NUT release, and now introduces the
+  `upscli_set_debug_level()` and `upscli_get_debug_level()` methods. [PR #3330]
+
 - For ages, most recipes for building NUT had customized the `sysconfdir` to
   be `/etc/nut`, which is not exactly the *system* configuration directory.
   This is finally deprecated, with new `--with-confdir` configuration option
@@ -99,6 +110,10 @@ Changes from 2.8.4 to 2.8.5
   use `upsdrvquery_NOSIGPIPE=0` to disable neutering of the signal inside
   the API itself. [PR #3277]
 
+- Added new API methods and defined bitmap values for `libupsclient` C binding
+  to query and report SSL capabilities of the library build (none, OpenSSL,
+  Mozilla NSS): `upscli_ssl_caps_descr()` and `upscli_ssl_caps()`. [PR #33xx]
+
 - Fixed man page naming for `nutdrv_siemens-sitop(.8)` (dash vs. underscore)
   to match the driver program name. Packaging recipes may have to be updated.
   Follow-up from slightly botched renaming in original contribution. [PR #545]

appveyor.yml

@@ -63,7 +63,7 @@ install:
 # versions of packages.
   - cmd: |
         REM Prerequisites for NUT per https://github.com/networkupstools/nut/blob/master/docs/config-prereqs.txt :
-        C:\msys64\usr\bin\bash -lc "date -u; pacman --noconfirm -S --needed base-devel mingw-w64-x86_64-toolchain autoconf-wrapper automake-wrapper libtool mingw-w64-x86_64-libltdl gcc ccache mingw-w64-x86_64-ccache git aspell aspell-en python mingw-w64-x86_64-python-pygments mingw-w64-x86_64-winpthreads-git mingw-w64-x86_64-libusb mingw-w64-x86_64-libusb-compat-git mingw-w64-x86_64-neon libneon-devel mingw-w64-x86_64-libgd mingw-w64-x86_64-cppunit"
+        C:\msys64\usr\bin\bash -lc "date -u; pacman --noconfirm -S --needed base-devel mingw-w64-x86_64-toolchain autoconf-wrapper automake-wrapper libtool mingw-w64-x86_64-libltdl gcc ccache mingw-w64-x86_64-ccache git aspell aspell-en python mingw-w64-x86_64-python-pygments mingw-w64-x86_64-winpthreads-git mingw-w64-x86_64-libusb mingw-w64-x86_64-libusb-compat-git mingw-w64-x86_64-neon libneon-devel mingw-w64-x86_64-libgd mingw-w64-x86_64-cppunit mingw-w64-x86_64-nss mingw-w64-x86_64-openssl"
         REM SKIP mingw-w64-x86_64-libmodbus-git : we custom-build one with USB support
         REM SKIP for now NUT-Monitor prereqs (runtime Python would require somilar modules; need to fix localization builds like "fr.po"): gettext mingw-w64-x86_64-python-pyqt6
 
@@ -115,7 +115,7 @@ build_script:
         REM to find "nearby" program or configuration files (see common.c
         REM for current implementation). Hard-coded fallback strings may
         REM end up getting used in those cases.
-        C:\msys64\usr\bin\bash -lc 'date -u; PATH="/mingw64/bin:$PATH" CI_SKIP_CHECK=true CANBUILD_WITH_LIBMODBUS_USB=yes WITH_LIBNUTPRIVATE=true ./ci_build.sh --with-docs=no'
+        C:\msys64\usr\bin\bash -lc 'date -u; PATH="/mingw64/bin:$PATH" CI_SKIP_CHECK=true CANBUILD_WITH_LIBMODBUS_USB=yes WITH_LIBNUTPRIVATE=true NUT_SSL_VARIANTS=nss ./ci_build.sh --with-docs=no'
 
 
 after_build:

ci_build.sh

@@ -35,6 +35,11 @@ SCRIPT_ARGS=("$@")
 # in a different directory and then it would be used with a warning. This may
 # require that you `make distclean` the original source checkout first:
 #   CI_BUILDDIR=obj BUILD_TYPE=default-all-errors ./ci_build.sh
+#
+# The NUT_SSL_VARIANTS=[yes, no, auto, ssl, nss, openssl] values can be used
+# with generic builds (not only iteration of a default-all-errors* matrix)
+# to set specific SSL options in tested NUT builds.
+#
 case "$BUILD_TYPE" in
     fightwarn) ;; # for default compiler
     fightwarn-all)
@@ -1947,7 +1952,20 @@ default|default-alldrv|default-alldrv:no-distcheck|default-all-errors|default-al
 
     case "$BUILD_TYPE" in
         "default-all-errors"*) ;;	# Treated below
-        *) configure_nut ;;
+        *)  # Final choices that can conflict with the matrix
+            # tried in default-all-errors* builds
+            case "${NUT_SSL_VARIANTS}" in
+                ssl|nss|openssl)
+                    CONFIG_OPTS+=("--with-${NUT_SSL_VARIANTS}")
+                    ;;
+                yes) CONFIG_OPTS+=("--with-ssl") ;;
+                no)  CONFIG_OPTS+=("--without-ssl") ;;
+                auto) CONFIG_OPTS+=("--with-ssl=auto") ;;
+                "") ;;
+                *)   echo "WARNING: Unrecognized NUT_SSL_VARIANTS='${NUT_SSL_VARIANTS}' for a general deterministic build, ignored" >&2 ;;
+            esac
+            configure_nut
+            ;;
     esac
 
     # NOTE: There is also a case "$BUILD_TYPE" above for setting CONFIG_OPTS
@@ -2842,6 +2860,17 @@ bindings)
         CONFIG_OPTS+=("--enable-shared-private-libs")
     fi
 
+    case "${NUT_SSL_VARIANTS}" in
+        ssl|nss|openssl)
+            CONFIG_OPTS+=("--with-${NUT_SSL_VARIANTS}")
+            ;;
+        yes) CONFIG_OPTS+=("--with-ssl") ;;
+        no)  CONFIG_OPTS+=("--without-ssl") ;;
+        auto) CONFIG_OPTS+=("--with-ssl=auto") ;;
+        "") ;;
+        *)   echo "WARNING: Unrecognized NUT_SSL_VARIANTS='${NUT_SSL_VARIANTS}' for a general deterministic build, ignored" >&2 ;;
+    esac
+
     if [ -n "${BUILD_DEBUGINFO-}" ]; then
         CONFIG_OPTS+=("--with-debuginfo=${BUILD_DEBUGINFO}")
     else
@@ -2987,6 +3016,8 @@ cross-windows-mingw*)
     fi	# else we have some value from caller
     export WITH_LIBNUTPRIVATE
 
+    export NUT_SSL_VARIANTS
+
     SOURCEMODE="out-of-tree" \
     MAKEFLAGS="$PARMAKE_FLAGS" \
     KEEP_NUT_REPORT_FEATURE="true" \

clients/Makefile.am

@@ -165,22 +165,42 @@ upsstats_cgi_LDADD = $(LDADD_CLIENT) $(top_builddir)/common/libcommonstrjson.la
 
 # not LDADD... why?
 libupsclient_la_SOURCES = upsclient.c upsclient.h
-# NOTE: The library does not require libcommonversion.la
+if ENABLE_SHARED_PRIVATE_LIBS
+libupsclient_la_LIBADD = \
+	$(top_builddir)/common/libnutprivate-@NUT_SOURCE_GITREV_SEMVER_UNDERSCORES@-common-client.la
+else !ENABLE_SHARED_PRIVATE_LIBS
 libupsclient_la_LIBADD = \
 	$(top_builddir)/common/libcommonclient.la
+endif !ENABLE_SHARED_PRIVATE_LIBS
 if HAVE_WINDOWS_SOCKETS
   libupsclient_la_LIBADD += -lws2_32
 endif HAVE_WINDOWS_SOCKETS
 if WITH_SSL
   libupsclient_la_LIBADD += $(LIBSSL_LDFLAGS_RPATH) $(LIBSSL_LIBS)
 endif WITH_SSL
 
+# NOTE: The library does not require libcommonversion.la (does not
+# link against it), we just need $(top_builddir)/include/nut_version.h
+# to be there first (needed to compile upsclient.c, but not all `make`
+# implementations are happy for out-of-tree builds if we define a
+# dependency between these two files directly).
+libupsclient.la: $(top_builddir)/common/libcommonversion.la
+
 # Below we set API versions of public libraries
 # http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 # Note that changes here may have to be reflected in packaging (the shared
 # object .so names would differ)
 
 # libupsclient version information
+# NOTE: with libnutprivate*common* builds dynamically linked into the same
+# program (a typical in-tree NUT client, not typical for out-of-tree third
+# party clients) we can end up with two copies of libcommon symbols present
+# in each library. It's recommended to explicitly call upscli_set_debug_level()
+# instead of ambiguously manipulating the nut_debug_level variable by name.
+# TOTHINK: Un-export nut_debug_level from this library to avoid ambiguity
+# for the run-time dynamic linker resolution? For now the shared-library
+# builds are "exotic", but it makes sense to deprecate this export in a
+# future release.
 libupsclient_la_LDFLAGS = -version-info 7:0:0
 libupsclient_la_LDFLAGS += -export-symbols-regex '^(upscli_|nut_debug_level)'
 #|s_upsdebug|fatalx|fatal_with_errno|xcalloc|xbasename|print_banner_once)'

clients/upsc.c

@@ -2,7 +2,7 @@
 
    Copyright (C) 1999  Russell Kroll <rkroll@exploits.org>
    Copyright (C) 2012  Arnaud Quette <arnaud.quette@free.fr>
-   Copyright (C) 2020-2025  Jim Klimov <jimklimov+nut@gmail.com>
+   Copyright (C) 2020-2026  Jim Klimov <jimklimov+nut@gmail.com>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -48,14 +48,14 @@ static void fatalx_error_json_simple(int msg_is_simple, const char *msg) {
 	if (output_json) {
 		if (msg_is_simple) {
 			/* Caller knows there is nothing to escape here, pass through */
-			printf("{\"error\": \"%s\"}\n", msg);
+			printf("{\"error\": \"%s\"}\n", NUT_STRARG(msg));
 		} else {
 			printf("{\"error\": \"");
 			json_print_esc(msg);
 			printf("\"}\n");
 		}
 	}
-	fatalx(EXIT_FAILURE, "Error: %s", msg);
+	fatalx(EXIT_FAILURE, "Error: %s", NUT_STRARG(msg));
 }
 
 static void usage(const char *prog)
@@ -91,6 +91,7 @@ static void usage(const char *prog)
 	printf("  -h         - display this help text\n");
 
 	nut_report_config_flags();
+	upscli_report_build_details();
 
 	printf("\n%s", suggest_doc_links(prog, NULL));
 }
@@ -168,6 +169,8 @@ static void list_vars(void)
 		int	msg_is_simple = 1;
 
 		/* check for an old upsd */
+		upsdebugx(1, "%s: got code %d, upserror %d",
+			__func__, ret, upscli_upserror(ups));
 		if (upscli_upserror(ups) == UPSCLI_ERR_UNKCOMMAND) {
 			msg = "upsd is too old to support this query";
 		} else {
@@ -177,14 +180,14 @@ static void list_vars(void)
 
 		if (output_json) {
 			if (msg_is_simple) {
-				printf("  \"error\": \"%s\"\n}\n", msg);
+				printf("  \"error\": \"%s\"\n}\n", NUT_STRARG(msg));
 			} else {
 				printf("  \"error\": \"");
 				json_print_esc(msg);
 				printf("\"\n}\n");
 			}
 		}
-		fatalx(EXIT_FAILURE, "Error: %s", msg);
+		fatalx(EXIT_FAILURE, "Error: %s", NUT_STRARG(msg));
 	}
 
 	while (upscli_list_next(ups, numq, query, &numa, &answer) == 1) {
@@ -237,6 +240,8 @@ static void list_upses(int verbose)
 		int	msg_is_simple = 1;
 
 		/* check for an old upsd */
+		upsdebugx(1, "%s: got code %d, upserror %d",
+			__func__, ret, upscli_upserror(ups));
 		if (upscli_upserror(ups) == UPSCLI_ERR_UNKCOMMAND) {
 			msg = "upsd is too old to support this query";
 		} else {
@@ -394,6 +399,7 @@ int main(int argc, char **argv)
 	s = getenv("NUT_DEBUG_LEVEL");
 	if (s && str_to_int(s, &i, 10) && i > 0) {
 		nut_debug_level = i;
+		upscli_set_debug_level(nut_debug_level);
 	}
 	upsdebugx(1, "Starting NUT client: %s", prog);