1. Forum
  2. Usenet
  3. COMP.SOFT-SYS.ACE

  • ACE/TAO with SSL - configuration with SSLCAfile

    From cosminp@gmail.com@21:1/5 to All on Thu Apr 28 01:31:41 2016
    miercuri, 14 mai 2008, 13:10:44 UTC+3, badcast a scris:
    Hi,

    I've encountered a problem with ssliop configuration and I'd like to
    know if this is a misconfiguration issue or maybe someone has also
    seen it and probably knows the solution.

    ACE/TAO (5.6) has been built with ssl enabled (OpenSSL 0.9.8.b) on
    Windows XP 2002 SP 2 with Visual Studio 2003 (v7.1.6030) without
    problems.

    Now, the trouble comes when I use SSLCAfile to configure ssliop
    (listed below):

    -- server.conf -->

    dynamic SSLIOP_Factory Service_Object *
    TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
    "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:[CUT]\server-key.pem' -SSLCertificate 'PEM:[CUT]\server-cert.pem' -SSLCAFile 'PEM:[CUT]\cacert.pem'"

    dynamic Advanced_Resource_Factory Service_Object*
    TAO_Strategies:_make_TAO_Advanced_Resource_Factory ()
    "-ORBProtocolFactory SSLIOP_Factory"

    static Client_Strategy_Factory "-ORBConnectStrategy blocked"

    <-- server.conf --

    ORB won't initialize - here is debug output:

    TAO (7000|5188) Initializing the process-wide services
    TAO (7000|5188) Unable to load CA certs from [CUT]\cacert.pem and
    a directory pointed to by SSL_CERT_DIR env var (if any)
    Destroying ORB <[CUT]>

    I've noticed that most of security examples make use of environment
    variables to specify CA cert file. The exception is an example from TAO \orbsvcs\tests\Security\BiDirectional, which fails in similar way as
    my app.

    The problem doesn't occur when CA files localization is controlled
    solely by environment variables.

    I digged into the code and I suspect that the problem could be located
    in ACE_SSL_Context::load_trusted_ca which invokes SSL_add_dir_cert_subjects_to_stack - this (SSL_add_dir_cert_subjects_to_stack) is a new thing compared to
    previous ACE/TAO version making no troubles to my app.

    ACE_SSL_Context::load_trusted_ca is called during ssliop factory initialization when option SSLCAfile or SSLCApath is specified in
    input arguments. When these options don't exist the method is not
    called and everything works provided that SSL_CERT_FILE env. variable
    is properly set - client can connect (probably the matching CA cert is already load due to invocation of load_trusted_ca in ACE_SSL_Context::set_mode method, which don't care about the return
    value from load_trusted_ca).

    This is only my assumptions - I have some troubles with debugging and
    hunting down the reason, maybe the reason is completely other.

    I'd much appreciate if somebody could check ssliop configuration using SSLCAfile / security samples, confirm my server.conf configuration is
    valid or point the correct way to configure ssliop (I would prefer to configure ORB using SSLCAfile/SSLCApath directives, not by environment variables).

    Thanks in advance.

    Hi,

    I know this issue is old, but do you remember if you got an answer for those questions ?
    I noticed that there is a small problem in documentation from http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
    on the -SSLCAfile option (it has to be with 'SSLCAFile' not 'SSLCAfile').
    And I have the same problem: I need to use the file from a .conf file not as a system variable.
    Any ideas ?

    Thank you!

    Cosmin

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Johnny Willemsen@21:1/5 to cos...@gmail.com on Thu Apr 28 11:05:00 2016
    Hi,

    For the documentation fix please open a pull request at https://github.com/DOCGroup/ACE_TAO.

    Best regards,

    Johnny Willemsen
    Remedy IT
    http://www.remedy.nl

    On Thursday, April 28, 2016 at 10:31:42 AM UTC+2, cos...@gmail.com wrote:
    miercuri, 14 mai 2008, 13:10:44 UTC+3, badcast a scris:
    Hi,

    I've encountered a problem with ssliop configuration and I'd like to
    know if this is a misconfiguration issue or maybe someone has also
    seen it and probably knows the solution.

    ACE/TAO (5.6) has been built with ssl enabled (OpenSSL 0.9.8.b) on
    Windows XP 2002 SP 2 with Visual Studio 2003 (v7.1.6030) without
    problems.

    Now, the trouble comes when I use SSLCAfile to configure ssliop
    (listed below):

    -- server.conf -->

    dynamic SSLIOP_Factory Service_Object *
    TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
    "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:[CUT]\server-key.pem' -SSLCertificate 'PEM:[CUT]\server-cert.pem' -SSLCAFile 'PEM:[CUT]\cacert.pem'"

    dynamic Advanced_Resource_Factory Service_Object*
    TAO_Strategies:_make_TAO_Advanced_Resource_Factory ()
    "-ORBProtocolFactory SSLIOP_Factory"

    static Client_Strategy_Factory "-ORBConnectStrategy blocked"

    <-- server.conf --

    ORB won't initialize - here is debug output:

    TAO (7000|5188) Initializing the process-wide services
    TAO (7000|5188) Unable to load CA certs from [CUT]\cacert.pem and
    a directory pointed to by SSL_CERT_DIR env var (if any)
    Destroying ORB <[CUT]>

    I've noticed that most of security examples make use of environment variables to specify CA cert file. The exception is an example from TAO \orbsvcs\tests\Security\BiDirectional, which fails in similar way as
    my app.

    The problem doesn't occur when CA files localization is controlled
    solely by environment variables.

    I digged into the code and I suspect that the problem could be located
    in ACE_SSL_Context::load_trusted_ca which invokes SSL_add_dir_cert_subjects_to_stack - this (SSL_add_dir_cert_subjects_to_stack) is a new thing compared to
    previous ACE/TAO version making no troubles to my app.

    ACE_SSL_Context::load_trusted_ca is called during ssliop factory initialization when option SSLCAfile or SSLCApath is specified in
    input arguments. When these options don't exist the method is not
    called and everything works provided that SSL_CERT_FILE env. variable
    is properly set - client can connect (probably the matching CA cert is already load due to invocation of load_trusted_ca in ACE_SSL_Context::set_mode method, which don't care about the return
    value from load_trusted_ca).

    This is only my assumptions - I have some troubles with debugging and hunting down the reason, maybe the reason is completely other.

    I'd much appreciate if somebody could check ssliop configuration using SSLCAfile / security samples, confirm my server.conf configuration is
    valid or point the correct way to configure ssliop (I would prefer to configure ORB using SSLCAfile/SSLCApath directives, not by environment variables).

    Thanks in advance.

    Hi,

    I know this issue is old, but do you remember if you got an answer for those questions ?
    I noticed that there is a small problem in documentation from http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
    on the -SSLCAfile option (it has to be with 'SSLCAFile' not 'SSLCAfile').
    And I have the same problem: I need to use the file from a .conf file not as a system variable.
    Any ideas ?

    Thank you!

    Cosmin

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)