Hi,
I've encountered a problem with ssliop configuration and I'd like to
know if this is a misconfiguration issue or maybe someone has also
seen it and probably knows the solution.
ACE/TAO (5.6) has been built with ssl enabled (OpenSSL 0.9.8.b) on
Windows XP 2002 SP 2 with Visual Studio 2003 (v7.1.6030) without
problems.
Now, the trouble comes when I use SSLCAfile to configure ssliop
(listed below):
-- server.conf -->
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
"-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:[CUT]\server-key.pem' -SSLCertificate 'PEM:[CUT]\server-cert.pem' -SSLCAFile 'PEM:[CUT]\cacert.pem'"
dynamic Advanced_Resource_Factory Service_Object*
TAO_Strategies:_make_TAO_Advanced_Resource_Factory ()
"-ORBProtocolFactory SSLIOP_Factory"
static Client_Strategy_Factory "-ORBConnectStrategy blocked"
<-- server.conf --
ORB won't initialize - here is debug output:
TAO (7000|5188) Initializing the process-wide services
TAO (7000|5188) Unable to load CA certs from [CUT]\cacert.pem and
a directory pointed to by SSL_CERT_DIR env var (if any)
Destroying ORB <[CUT]>
I've noticed that most of security examples make use of environment
variables to specify CA cert file. The exception is an example from TAO \orbsvcs\tests\Security\BiDirectional, which fails in similar way as
my app.
The problem doesn't occur when CA files localization is controlled
solely by environment variables.
I digged into the code and I suspect that the problem could be located
in ACE_SSL_Context::load_trusted_ca which invokes SSL_add_dir_cert_subjects_to_stack - this (SSL_add_dir_cert_subjects_to_stack) is a new thing compared to
previous ACE/TAO version making no troubles to my app.
ACE_SSL_Context::load_trusted_ca is called during ssliop factory initialization when option SSLCAfile or SSLCApath is specified in
input arguments. When these options don't exist the method is not
called and everything works provided that SSL_CERT_FILE env. variable
is properly set - client can connect (probably the matching CA cert is already load due to invocation of load_trusted_ca in ACE_SSL_Context::set_mode method, which don't care about the return
value from load_trusted_ca).
This is only my assumptions - I have some troubles with debugging and
hunting down the reason, maybe the reason is completely other.
I'd much appreciate if somebody could check ssliop configuration using SSLCAfile / security samples, confirm my server.conf configuration is
valid or point the correct way to configure ssliop (I would prefer to configure ORB using SSLCAfile/SSLCApath directives, not by environment variables).
Thanks in advance.
miercuri, 14 mai 2008, 13:10:44 UTC+3, badcast a scris:
Hi,
I've encountered a problem with ssliop configuration and I'd like to
know if this is a misconfiguration issue or maybe someone has also
seen it and probably knows the solution.
ACE/TAO (5.6) has been built with ssl enabled (OpenSSL 0.9.8.b) on
Windows XP 2002 SP 2 with Visual Studio 2003 (v7.1.6030) without
problems.
Now, the trouble comes when I use SSLCAfile to configure ssliop
(listed below):
-- server.conf -->
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
"-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:[CUT]\server-key.pem' -SSLCertificate 'PEM:[CUT]\server-cert.pem' -SSLCAFile 'PEM:[CUT]\cacert.pem'"
dynamic Advanced_Resource_Factory Service_Object*
TAO_Strategies:_make_TAO_Advanced_Resource_Factory ()
"-ORBProtocolFactory SSLIOP_Factory"
static Client_Strategy_Factory "-ORBConnectStrategy blocked"
<-- server.conf --
ORB won't initialize - here is debug output:
TAO (7000|5188) Initializing the process-wide services
TAO (7000|5188) Unable to load CA certs from [CUT]\cacert.pem and
a directory pointed to by SSL_CERT_DIR env var (if any)
Destroying ORB <[CUT]>
I've noticed that most of security examples make use of environment variables to specify CA cert file. The exception is an example from TAO \orbsvcs\tests\Security\BiDirectional, which fails in similar way as
my app.
The problem doesn't occur when CA files localization is controlled
solely by environment variables.
I digged into the code and I suspect that the problem could be located
in ACE_SSL_Context::load_trusted_ca which invokes SSL_add_dir_cert_subjects_to_stack - this (SSL_add_dir_cert_subjects_to_stack) is a new thing compared to
previous ACE/TAO version making no troubles to my app.
ACE_SSL_Context::load_trusted_ca is called during ssliop factory initialization when option SSLCAfile or SSLCApath is specified in
input arguments. When these options don't exist the method is not
called and everything works provided that SSL_CERT_FILE env. variable
is properly set - client can connect (probably the matching CA cert is already load due to invocation of load_trusted_ca in ACE_SSL_Context::set_mode method, which don't care about the return
value from load_trusted_ca).
This is only my assumptions - I have some troubles with debugging and hunting down the reason, maybe the reason is completely other.
I'd much appreciate if somebody could check ssliop configuration using SSLCAfile / security samples, confirm my server.conf configuration is
valid or point the correct way to configure ssliop (I would prefer to configure ORB using SSLCAfile/SSLCApath directives, not by environment variables).
Thanks in advance.
Hi,
I know this issue is old, but do you remember if you got an answer for those questions ?
I noticed that there is a small problem in documentation from http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
on the -SSLCAfile option (it has to be with 'SSLCAFile' not 'SSLCAfile').
And I have the same problem: I need to use the file from a .conf file not as a system variable.
Any ideas ?
Thank you!
Cosmin
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 87:26:49 |
Calls: | 6,658 |
Files: | 12,203 |
Messages: | 5,333,881 |