Bring OpenSSL abilities up to be on par with NSS

[jimklimov]

Was initially based over PR #3402 (now merged).
Closes #3331

• Client self-identification by a cert (new upscli_init2() with a CERTFILE argument)
• Pinning expected server certificates (CERTHOST) and using the certverify value from such definition over the default one
• Using a password for private key (via CERTIDENT)
• Using CERTIDENT also to make sure we loaded the right file
• OpenSSL server can validate certs if asked to (CERTREQUEST + CERTPATH)

Development speedup aided by Junie (Intellij AI).

Updates for upsmon as test subject to use the new API before it is bestowed on other clients (#3329)

So far both NSS and OpenSSL variants build and pass make check-NIT locally.

• A compiler update got me new warnings that were also squashed here but irrelevant to the problem otherwise.

TODO:

• Compare to C++ implementation, port missing bits
• Anything similar with Python, PERL bindings (backed by OpenSSL)?
• Revise NIT setup and run to use the cool features not only with NSS builds.
• CERTIDENT currently requires OPENSSL 1.1+

[github-actions]

A ZIP file with standard source tarball and another tarball with pre-built docs for commit 405695a is temporarily available: NUT-tarballs-PR-3408.zip.

[AppVeyorBot]

✅ Build nut 2.8.5.4536-master completed (commit 40ecd06b2d by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4536-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4536-master completed (commit 40ecd06b2d by @jimklimov)

[AppVeyorBot]

❌ Build nut 2.8.5.4540-master failed (commit 6f8ff3b5f3 by @jimklimov)

• artifacts (if any)

[AppVeyorBot]

❌ Build nut 2.8.5.4546-master failed (commit 95cd824865 by @jimklimov)

• artifacts (if any)

[AppVeyorBot]

✅ Build nut 2.8.5.4556-master completed (commit dba7c703b5 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4556-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4578-master completed (commit 59ef9af9db by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4578-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4580-master completed (commit fc4bfcd991 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4580-master.7z

[AppVeyorBot]

❌ Build nut 2.8.5.4581-master failed (commit 1b3653df1e by @jimklimov)

• artifacts (if any)

[AppVeyorBot]

❌ Build nut 2.8.5.4581-master failed (commit 1b3653df1e by @jimklimov)

[AppVeyorBot]

✅ Build nut 2.8.5.4582-master completed (commit 923580888c by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4582-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4582-master completed (commit 923580888c by @jimklimov)

[AppVeyorBot]

❌ Build nut 2.8.5.4584-master failed (commit ccdcc903e8 by @jimklimov)

• artifacts (if any)

[AppVeyorBot]

❌ Build nut 2.8.5.4585-master failed (commit 33e338bf88 by @jimklimov)

• artifacts (if any)

[AppVeyorBot]

✅ Build nut 2.8.5.4586-master completed (commit 62a83dbf89 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4586-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4586-master completed (commit 62a83dbf89 by @jimklimov)

[AppVeyorBot]

✅ Build nut 2.8.5.4587-master completed (commit 7d965271f2 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4587-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4588-master completed (commit b376e00047 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4588-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4589-master completed (commit bea5bccb2a by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4589-master.7z

[AppVeyorBot]

✅ Build nut 2.8.5.4590-master completed (commit 5d8799c133 by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4590-master.7z

[jimklimov]

Trying to figure out why upsmon rejects the server certificate, and hoping to enable debugging in the openssl library, I ended up custom-building current git tip. NUT works with OpenSSL 4.x apparently, and upsmon succeeds the handshake. This is nice but did not help debugging :D

   0.001858     [D1:523280:upsd] Saving PID 523280 into /home/jim/nut/build-custom-openssl/tests/NIT/tmp/run/upsd.pid
   0.001916     WARNING: /home/jim/nut/build-custom-openssl/tests/NIT/tmp/etc/cert/upsd/upsd.pem is world readable (hope you don't have passwords there)
   0.001945     Warning: DISABLE_WEAK_SSL is not enabled. Please consider enabling to improve network security.
   0.006223     [D4:523280:upsd] ssl_init: My certificate subject: '/CN=NIT data server/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CN: 'NIT data server/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CERTIDENT: [15]'NIT data server'
   0.006255     [D2:523280:upsd] Certificate subject verified against CERTIDENT subject name (NIT data server)
   0.006259     [D2:523280:upsd] ssl_init: initialized with OpenSSL and certfile='/home/jim/nut/build-custom-openssl/tests/NIT/tmp/etc/cert/upsd/upsd.pem'
   0.006334     [D1:523280:upsd] ssl_init: Succeeded to load CA certificate(s) from directory /home/jim/nut/build-custom-openssl/tests/NIT/tmp/etc/cert/rootca
   0.006368     [D1:523280:upsd] upsnotify: notify about state NOTIFY_STATE_READY_WITH_PID with libsystemd: was requested, but not running as a service unit now, will not spam more about it


   0.001523     [D1:523611:upsmon:libupsclient:main-loop] NUT_QUIET_INIT_SSL='false' value was not recognized, ignored
   0.004669     [D1:523611:upsmon:libupsclient:main-loop] upscli_init2: Succeeded to load CA certificate(s) from directory /home/jim/nut/build-custom-openssl/tests/NIT/tmp/etc/cert/rootca
   0.006086     [D4:523611:upsmon:libupsclient:main-loop] upscli_init2: My certificate subject: '/CN=NIT upsmon/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CN: 'NIT upsmon/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CERTIDENT: [10]'NIT upsmon'
   0.006119     [D2:523611:upsmon:libupsclient:main-loop] Certificate subject verified against CERTIDENT subject name (NIT upsmon)
   0.006123     [D1:523611:upsmon:libupsclient:main-loop] upscli_init2: completed

   9.923429     [D3:523280:upsd] mainloop: Incoming data from CLIENT [127.0.0.1, FD 8]
   9.923471     [D6:523280:upsd] Entering check_command: STARTTLS
   9.923504     [D6:523280:upsd] check_command: Calling command handler for STARTTLS
   9.923537     [D2:523280:upsd] net_starttls: handling a connection upgrade request, server side built with OpenSSL SSL support
   9.923603     [D2:523280:upsd] write: [destfd=8] [len=12] [OK STARTTLS]
   0.014388     Connecting in SSL to 'localhost' and looking at certificate called 'NIT data server'
   0.057658     [D3:523611:upsmon:libupsclient:main-loop] upscli_sslinit: SSL connected (TLSv1.3)
   0.057695     [D3:523611:upsmon:libupsclient:main-loop] upscli_sslinit: Succeeded to STARTTLS (OpenSSL)
   9.967275     [D3:523280:upsd] SSL_accept succeeded (TLSv1.3)

  9.967426     [D3:523280:upsd] mainloop: Incoming data from CLIENT [127.0.0.1, FD 8]
   9.967463     [D6:523280:upsd] Entering check_command: PROTVER
   9.967493     [D6:523280:upsd] check_command: Calling command handler for PROTVER
   9.967547     [D5:523280:upsd] ssl_write ret=4
   9.967573     [D2:523280:upsd] write: [destfd=8] [len=4] [1.3]

   0.100700     [D3:523611:upsmon:libupsclient:main-loop] upscli_is_valid_protocol_version: PROTVER or NETVER returned '1.3', matching against '(null)'
   0.100776     Connected to NUT server localhost in SSL
   0.100784     [D1:523611:upsmon:libupsclient:main-loop] Certificate verification (by client) is enabled, and apparently succeeded

With the system stock library (Ubuntu 26.04 beta) it fails with something unexpected in the certificate, but what?..

   0.004576     [D1:428309:upsmon:libupsclient:main-loop] upscli_init2: Succeeded to load CA certificate(s) from directory /home/jim/nut/build-mono/tests/NIT/tmp/etc/cert/rootca
   0.005540     [D4:428309:upsmon:libupsclient:main-loop] upscli_init2: My certificate subject: '/CN=NIT upsmon/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CN: 'NIT upsmon/OU=Test/O=NIT/ST=StateOfChaos/C=US'; CERTIDENT: [10]'NIT upsmon'
   0.005581     [D2:428309:upsmon:libupsclient:main-loop] Certificate subject verified against CERTIDENT subject name (NIT upsmon)
   0.005611     [D1:428309:upsmon:libupsclient:main-loop] upscli_init2: completed

   9.968013     [D3:427976:upsd] mainloop: Incoming data from CLIENT [127.0.0.1, FD 8]
   9.968026     [D6:427976:upsd] Entering check_command: STARTTLS
   9.968055     [D6:427976:upsd] check_command: Calling command handler for STARTTLS
   9.968063     [D2:427976:upsd] net_starttls: handling a connection upgrade request, server side built with OpenSSL SSL support
   9.968123     [D2:427976:upsd] write: [destfd=8] [len=12] [OK STARTTLS]
   0.018246     Connecting in SSL to 'localhost' and looking at certificate called 'NIT data server'
   0.063642     [D1:428309:upsmon:libupsclient:main-loop] upscli_sslinit: SSL_connect failed (SSL_ERROR 1): Success
   0.063681     ssl_error() ret=-1 SSL_ERROR 1
   0.063694     [D2:428309:upsmon:libupsclient:main-loop] ssl_debug: error:0A000086:SSL routines::certificate verify failed
  10.013670     net_starttls: SSL_accept failed (SSL_ERROR 1): Success
   0.063721     Can not connect to NUT server localhost in SSL, disconnect
  10.013692     [D1:427976:upsd] ssl_error() ret=-1 SSL_ERROR 1
   0.063736     [D3:428309:upsmon:libupsclient:main-loop] net_write: SSL_write failed: -1
  10.013702     [D1:427976:upsd] ssl_debug: error:0A000412:SSL routines::ssl/tls alert bad certificate
   0.063739     ssl_error() ret=-1 SSL_ERROR_SYSCALL
  10.013716     [D4:427976:upsd] mainloop: adding FD handler #0 for DRIVER (1/1) [dummy, FD 5]
   0.063752     [D3:428309:upsmon:libupsclient:main-loop] net_read: SSL_read failed: -1
  10.013721     [D4:427976:upsd] mainloop: adding FD handler #1 for DRIVER (2/2) [UPS1, FD 6]
   0.063759     ssl_error() ret=-1 SSL_ERROR_SYSCALL
  10.013729     [D4:427976:upsd] mainloop: adding FD handler #2 for DRIVER (3/3) [UPS2, FD 7]
   0.063766     [D1:428309:upsmon:libupsclient:main-loop] upscli_disconnect: We logged out, and server did not reply in a short time  10.013736 [D4:427976:upsd] mainloop: adding FD handler #3 for CLIENT (1/1) [127.0.0.1 => (null), FD 8]
 frame

[AppVeyorBot]

✅ Build nut 2.8.5.4591-master completed (commit 04370734fb by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4591-master.7z

[jimklimov]

At least complaints from old systems are reasonable, e.g. CentOS 7:

Connecting in SSL to 'localhost' and was asked to look at certificate called 'NIT data server',
    but the OpenSSL library in this build is too old for that. Please disable the CERTHOST
    setting or update the library used by NUT. Refusing connection attempt now because
    certificate verification was required.
Can not connect to NUT server localhost in SSL, disconnect
ssl_error() ret=-1 SSL_ERROR 1
ssl_error() ret=-1 SSL_ERROR 1
net_starttls: SSL_accept did not accept handshake (SSL_ERROR 5): Success
UPS [dummy@localhost:12345]: connect failed: SSL error: error:140E0114:SSL routines:SSL_shutdown:uninitialized

[AppVeyorBot]

✅ Build nut 2.8.5.4592-master completed (commit b2daf945da by @jimklimov)

• artifacts
• A 7-zip archive with built NUT for Windows debug binaries is temporarily available: NUT-for-Windows-x86_64-SNAPSHOT-2.8.5.4592-master.7z