• SSL doesn't "work" for me ...

    From Andreas Leitgeb@21:1/5 to All on Fri Jun 9 15:14:53 2017
    My project (using TAO on Server, and so far Java's own ORB as client)
    needs to be adapted for secured communications.

    I'm still struggling with the Server, whose debug-output just doesn't
    tell me what it is unhappy about, but it fails to accept the "ssl_port"
    option in -ORBListenEndpoints iiop://foo:1234/ssl_port=1235 and there is
    also a line like the following in the debugging output

    ACE (29490|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0
    (More log lines further down.)

    That after a bunch of lines making it obvious that the file exists, and its contents are seen by TAO (e.g. it appears to be fine with the specified certs).

    So far, my hypothesis is, that I'm doing something wrong with the options passed to the process, and/or in ..._ssl.conf, and only if they're confirmed
    to be fine, I'd look further at the build-process of ACE+TAO.

    My platform: Solaris 11, compiler: solarisstudio12.3 (12.4 failed to compile TAO)
    TAO: ACE+TAO-2.2a_with_latest_patches.tar.gz (md5: 37d4a5e79e65a6fdbdcb23e013cd1cac)

    Options passed to the process using tao: (start script has them all in a line)
    -ORBDebug
    -ORBDebugLevel 20
    -ORBVerboseLogging 2
    -ORBLogFile /.../log/..._orb.log
    -ORBIgnoreDefaultSvcConfFile
    -ORBSvcConf /.../..._ssl.conf
    -ORBDottedDecimalAddresses 1
    -ORBNoServerSideNameLookups 1
    -ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50501/portspan=999
    (the IP address is not really 1.2.3.4, but some valid IP in our intranet)

    The /.../..._ssl.conf: (the "dynamic" line is only wrapped here, but a
    single line in the file)

    dynamic SSLIOP_Factory Service_Object *
    TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "
    -SSLAuthenticate SERVER
    -SSLPrivateKey 'PEM:CorbaSSL/CorbaSSL.key'
    -SSLCertificate 'PEM:CorbaSSL/CorbaSSL.pem'
    -SSLCAPath 'CorbaSSL/CA'
    -SSLPassword prompt:foobar"
    "
    static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"

    It never prompts for the password (but the private-key file doesn't have
    one, so that might be ok, unless it would be supposed to ask for one,
    anyway).

    The CorbaSSL/CorbaSSL.pem is signed by my own "self-signed authority",
    and that pseudo-CA's cert is in a file MY_CA_cert.cer in CorbaSSL/CA/ .
    (That's only for my own trying to get it to work. In production it would eventually have a properly signed certificate.)


    Some selected lines of debugging output, that might be useful:

    ACE (265|1) DLL_Handle::open ("libTAO_SSLIOP.so", 0x101) -> succeeded: no error ...
    (265|1) SSLIOP_Factory: No DH parameters found in certificate <CorbaSSL/CorbaSSL.pem>;
    either none are needed (RSA) or problems will ensue later.

    It's rsa, so shouldn't matter.

    TAO (265|1) SSLIOP loaded SSL certificate from CorbaSSL/CorbaSSL.pem
    TAO (265|1) SSLIOP loaded Private Key from <CorbaSSL/CorbaSSL.key>
    ACE (265|1) DLL_Handle::open ("libTAO_Security.so", 0x101) -> succeeded: no error
    ...
    ACE (265|1) SR::insert - repo=1004035f0 [67], name=SSLIOP_Factory (new) (type=10041d970, object=100429790, active=1)
    ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - updating dependents [61 - 68)

    a <dtor> ? is that where it starts to go wrong?

    ...
    and finally, where it really seems to go awry:

    ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - loaded (type=..., impl=..., object=..., active=1)
    ACE (265|1) Dynamic_Node::apply - Did dynamic on SSLIOP_Factory (yyerrno=0)
    ACE (265|1) DLL_Handle::close - TAO_SSLIOP (handle=2041612168, refcount=5)
    ACE (265|1) SG::initialize - () repo=1004035f0, looking up static service 'Resource_Factory' to initialize
    ACE (265|1) Static_Node::apply - Did static on Resource_Factory (yyerrno=0)
    ACE (265|1) SCG:<dtor=ffffffff7fffb880> - new repo=1004035f0
    ACE (265|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0

    After that it proceeds, eventually noticing "We are the default ORB", and
    then exits after a short line: BAD_PARAM (likely due to the ssl_port=50500
    in ORBListenEndpoints - If I remove the ssl_port, it seems to continue
    to produce an IOR string, but I can't see any SSL-specifics when feeding
    the IOR to http://www2.parc.com/istl/projects/ILU/parseIOR/ and my local linux's ior-decode-2 even crashes on that IOR string.

    Anyway, I do need to specify the port range also for ssl (there will be firewalls on the way, that allow only a narrow range for Corba. those
    firewalls aren't there on my development machines, so that's not yet the problem) and it seems to me the not-acceptance of ssl_port could be merely
    a consequence of the previously mentioned fail for the config file.

    Thanks in advance for hints on where to look next.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Leitgeb@21:1/5 to Andreas Leitgeb on Sat Jun 10 09:47:02 2017
    "Only" one day later it occurred to me to search for "ssh_port" in the tao(2.2a)-sources and *not* find it. That explains the "BAD_PARAM",
    but I'd still appreciate help for why it claims that my config file was
    not ok...



    Andreas Leitgeb <avl@logic.at> wrote:
    My project (using TAO on Server, and so far Java's own ORB as client)
    needs to be adapted for secured communications.

    I'm still struggling with the Server, whose debug-output just doesn't
    tell me what it is unhappy about, but it fails to accept the "ssl_port" option in -ORBListenEndpoints iiop://foo:1234/ssl_port=1235 and there is
    also a line like the following in the debugging output

    ACE (29490|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0 (More log lines further down.)

    That after a bunch of lines making it obvious that the file exists, and its contents are seen by TAO (e.g. it appears to be fine with the specified certs).

    So far, my hypothesis is, that I'm doing something wrong with the options passed to the process, and/or in ..._ssl.conf, and only if they're confirmed to be fine, I'd look further at the build-process of ACE+TAO.

    My platform: Solaris 11, compiler: solarisstudio12.3 (12.4 failed to compile TAO)
    TAO: ACE+TAO-2.2a_with_latest_patches.tar.gz (md5: 37d4a5e79e65a6fdbdcb23e013cd1cac)

    Options passed to the process using tao: (start script has them all in a line)
    -ORBDebug
    -ORBDebugLevel 20
    -ORBVerboseLogging 2
    -ORBLogFile /.../log/..._orb.log
    -ORBIgnoreDefaultSvcConfFile
    -ORBSvcConf /.../..._ssl.conf
    -ORBDottedDecimalAddresses 1
    -ORBNoServerSideNameLookups 1
    -ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50501/portspan=999
    (the IP address is not really 1.2.3.4, but some valid IP in our intranet)

    The /.../..._ssl.conf: (the "dynamic" line is only wrapped here, but a
    single line in the file)

    dynamic SSLIOP_Factory Service_Object *
    TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "
    -SSLAuthenticate SERVER
    -SSLPrivateKey 'PEM:CorbaSSL/CorbaSSL.key'
    -SSLCertificate 'PEM:CorbaSSL/CorbaSSL.pem'
    -SSLCAPath 'CorbaSSL/CA'
    -SSLPassword prompt:foobar"
    "
    static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"

    It never prompts for the password (but the private-key file doesn't have
    one, so that might be ok, unless it would be supposed to ask for one, anyway).

    The CorbaSSL/CorbaSSL.pem is signed by my own "self-signed authority",
    and that pseudo-CA's cert is in a file MY_CA_cert.cer in CorbaSSL/CA/ . (That's only for my own trying to get it to work. In production it would eventually have a properly signed certificate.)


    Some selected lines of debugging output, that might be useful:

    ACE (265|1) DLL_Handle::open ("libTAO_SSLIOP.so", 0x101) -> succeeded: no error
    ...
    (265|1) SSLIOP_Factory: No DH parameters found in certificate <CorbaSSL/CorbaSSL.pem>;
    either none are needed (RSA) or problems will ensue later.

    It's rsa, so shouldn't matter.

    TAO (265|1) SSLIOP loaded SSL certificate from CorbaSSL/CorbaSSL.pem
    TAO (265|1) SSLIOP loaded Private Key from <CorbaSSL/CorbaSSL.key>
    ACE (265|1) DLL_Handle::open ("libTAO_Security.so", 0x101) -> succeeded: no error
    ...
    ACE (265|1) SR::insert - repo=1004035f0 [67], name=SSLIOP_Factory (new) (type=10041d970, object=100429790, active=1)
    ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - updating dependents [61 - 68)

    a <dtor> ? is that where it starts to go wrong?

    ...
    and finally, where it really seems to go awry:

    ACE (265|1) STDG::<dtor>, repo=1004035f0 [67], name=SSLIOP_Factory - loaded (type=..., impl=..., object=..., active=1)
    ACE (265|1) Dynamic_Node::apply - Did dynamic on SSLIOP_Factory (yyerrno=0) ACE (265|1) DLL_Handle::close - TAO_SSLIOP (handle=2041612168, refcount=5) ACE (265|1) SG::initialize - () repo=1004035f0, looking up static service 'Resource_Factory' to initialize
    ACE (265|1) Static_Node::apply - Did static on Resource_Factory (yyerrno=0) ACE (265|1) SCG:<dtor=ffffffff7fffb880> - new repo=1004035f0
    ACE (265|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0

    After that it proceeds, eventually noticing "We are the default ORB", and then exits after a short line: BAD_PARAM (likely due to the ssl_port=50500 in ORBListenEndpoints - If I remove the ssl_port, it seems to continue
    to produce an IOR string, but I can't see any SSL-specifics when feeding
    the IOR to http://www2.parc.com/istl/projects/ILU/parseIOR/ and my local linux's ior-decode-2 even crashes on that IOR string.

    Anyway, I do need to specify the port range also for ssl (there will be firewalls on the way, that allow only a narrow range for Corba. those firewalls aren't there on my development machines, so that's not yet the problem) and it seems to me the not-acceptance of ssl_port could be merely
    a consequence of the previously mentioned fail for the config file.

    Thanks in advance for hints on where to look next.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Leitgeb@21:1/5 to Andreas Leitgeb on Sat Jun 10 11:19:24 2017
    Sorry, please forget these two followups... Obviously, I wouldn't
    find "ss*h*_port" in the sources - but did find ss*l*_port...

    So, the original problem still stands as is.

    Andreas Leitgeb <avl@logic.at> wrote:
    "Only" one day later it occurred to me to search for "ssh_port" in the

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Leitgeb@21:1/5 to All on Sat Jun 10 16:09:43 2017
    Well, not sure if anyone even reads this group anymore, but nevertheless
    I made some progress:

    ACE (29490|1) STDG::<dtor> - Failed (-1) to find /.../..._ssl.conf -> 0

    I still don't know what that really means, but meanwhile it seems to me
    like I can safely ignore it, anyway.

    -ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50501/portspan=999

    I never saw any doc or example of using two or more options. Examining
    ACE/TAO source directly revealed that they must be separated by "&", so
    it should have been:

    -ORBListenEndPoints iiop://1.2.3.4:50000/ssl_port=50000&portspan=999

    Maybe, this semi-URL-like syntax (still no "?") went without saying for everyone else just not for me.

    ... - If I remove the ssl_port, it seems to continue
    to produce an IOR string, but I can't see any SSL-specifics when feeding
    the IOR to http://www2.parc.com/istl/projects/ILU/parseIOR/ and my local linux's ior-decode-2 even crashes on that IOR string.

    TAO's own "tao_catior" turns out to be able to deal with the IOR and
    even shows some SSL'ism in it.

    So, my next target will be the client's Orb (Java's integrated one)
    and I'll either try to make it work with SSLIOP, or change the client
    to use JacORB.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)