Bug #16837
open
Network UPS Tools Cleartext Authentication - enable StartTLS
0%
Description
I ran a Nessus Scan and it came up with a finding to enable StartTLS for NUT. I would please request this feature be enabled to allow for encrypted channels. This is the finding below
Description
The remote Network UPS Tools does not support exchanging credentials through an encrypted channel. An unauthenticated, remote attacker can exploit this to perform a man-in-the-middle attack, intercept credentials, and alter the settings on the UPS that the server manages.
Solution
Enable StartTLS support on the server using the 'CERTFILE' directive.
NUT Version: 2.8.2_9
Files
Updated by Kris Phillips 19 days ago
- Status changed from New to Incomplete
Are you referring to enabling TLS support for remote servers in the nut package? The nut package doesn't support this natively on any FreeBSD implementation, to my knowledge, so this is an upstream issue that cannot be fixed within pfSense CE or Plus until upstream has support for this.
Please clarify what you are looking for here.
Updated by A A 16 days ago
- File 2026-05-04_13-05-12.jpg 2026-05-04_13-05-12.jpg added
Hi Kris,
I'm looking to highlight any opportunities to make pfsense and its packages 'secured by design'.
---
When I did a Nessus scan, it reported that NUT does not support exchanging credentials through an encrypted channel. It suggested that StartTLS be enabled using the 'CERTFILE' directive. The current NUT package does not seem to have this option to configure TLS.
https://networkupstools.org/docs/developer-guide.chunked/ar01s09.html
I'm guessing this option would require NUT to be recompiled with OpenSSL?