My project (using TAO on Server, and so far Java's own ORB as client)
needs to be adapted for secured communications.
I'm still struggling with the Server, whose debug-output just doesn't
tell me what it is unhappy about, but it fails to accept the "ssl_port" option in -ORBListenEndpoints iiop://foo:1234/ssl_port=1235 and there is
also a line like the following in the debugging output
ACE (29490|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0 (More log lines further down.)
That after a bunch of lines making it obvious that the file exists, and its contents are seen by TAO (e.g. it appears to be fine with the specified certs).
So far, my hypothesis is, that I'm doing something wrong with the options passed to the process, and/or in ..._ssl.conf, and only if they're confirmed to be fine, I'd look further at the build-process of ACE+TAO.
My platform: Solaris 11, compiler: solarisstudio12.3 (12.4 failed to compile TAO)
TAO: ACE+TAO-2.2a_with_latest_patches.tar.gz (md5: 37d4a5e79e65a6fdbdcb23e013cd1cac)
Options passed to the process using tao: (start script has them all in a line)
-ORBDebug
-ORBDebugLevel 20
-ORBVerboseLogging 2
-ORBLogFile /.../log/..._orb.log
-ORBIgnoreDefaultSvcConfFile
-ORBSvcConf /.../..._ssl.conf
-ORBDottedDecimalAddresses 1
-ORBNoServerSideNameLookups 1
-ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50501/portspan=999
(the IP address is not really 1.2.3.4, but some valid IP in our intranet)
The /.../..._ssl.conf: (the "dynamic" line is only wrapped here, but a
single line in the file)
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "
-SSLAuthenticate SERVER
-SSLPrivateKey 'PEM:CorbaSSL/CorbaSSL.key'
-SSLCertificate 'PEM:CorbaSSL/CorbaSSL.pem'
-SSLCAPath 'CorbaSSL/CA'
-SSLPassword prompt:foobar"
"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
It never prompts for the password (but the private-key file doesn't have
one, so that might be ok, unless it would be supposed to ask for one, anyway).
The CorbaSSL/CorbaSSL.pem is signed by my own "self-signed authority",
and that pseudo-CA's cert is in a file MY_CA_cert.cer in CorbaSSL/CA/ . (That's only for my own trying to get it to work. In production it would eventually have a properly signed certificate.)
Some selected lines of debugging output, that might be useful:
ACE (265|1) DLL_Handle::open ("libTAO_SSLIOP.so", 0x101) -> succeeded: no error
...
(265|1) SSLIOP_Factory: No DH parameters found in certificate <CorbaSSL/CorbaSSL.pem>;
either none are needed (RSA) or problems will ensue later.
It's rsa, so shouldn't matter.
TAO (265|1) SSLIOP loaded SSL certificate from CorbaSSL/CorbaSSL.pem
TAO (265|1) SSLIOP loaded Private Key from <CorbaSSL/CorbaSSL.key>
ACE (265|1) DLL_Handle::open ("libTAO_Security.so", 0x101) -> succeeded: no error
...
ACE (265|1) SR::insert - repo=1004035f0 [67], name=SSLIOP_Factory (new) (type=10041d970, object=100429790, active=1)
ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - updating dependents [61 - 68)
a <dtor> ? is that where it starts to go wrong?
...
and finally, where it really seems to go awry:
ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - loaded (type=..., impl=..., object=..., active=1)
ACE (265|1) Dynamic_Node::apply - Did dynamic on SSLIOP_Factory (yyerrno=0) ACE (265|1) DLL_Handle::close - TAO_SSLIOP (handle=2041612168, refcount=5) ACE (265|1) SG::initialize - () repo=1004035f0, looking up static service 'Resource_Factory' to initialize
ACE (265|1) Static_Node::apply - Did static on Resource_Factory (yyerrno=0) ACE (265|1) SCG:<dtor=ffffffff7fffb880> - new repo=1004035f0
ACE (265|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0
After that it proceeds, eventually noticing "We are the default ORB", and then exits after a short line: BAD_PARAM (likely due to the ssl_port=50500 in ORBListenEndpoints - If I remove the ssl_port, it seems to continue
to produce an IOR string, but I can't see any SSL-specifics when feeding
the IOR to http://www2.parc.com/istl/projects/ILU/parseIOR/ and my local linux's ior-decode-2 even crashes on that IOR string.
Anyway, I do need to specify the port range also for ssl (there will be firewalls on the way, that allow only a narrow range for Corba. those firewalls aren't there on my development machines, so that's not yet the problem) and it seems to me the not-acceptance of ssl_port could be merely
a consequence of the previously mentioned fail for the config file.
Thanks in advance for hints on where to look next.
"Only" one day later it occurred to me to search for "ssh_port" in the
ACE (29490|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0
-ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50501/portspan=999
... - If I remove the ssl_port, it seems to continue
to produce an IOR string, but I can't see any SSL-specifics when feeding
the IOR to http://www2.parc.com/istl/projects/ILU/parseIOR/ and my local linux's ior-decode-2 even crashes on that IOR string.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 77:26:58 |
Calls: | 6,489 |
Files: | 12,096 |
Messages: | 5,276,375 |