[tao-users] Supporting both SSL and Non-SSL client callbacks
Victor Kirk
TAO VERSION: 1.7.3
ACE VERSION: 5.7.3
HOST MACHINE and OPERATING SYSTEM:
Windows XP Professional/winsock2
TARGET MACHINE and OPERATING SYSTEM, if different from HOST:
COMPILER NAME AND VERSION (AND PATCHLEVEL):
Visual Studio 2008 (9.0.30729.1 SP)
THE $ACE_ROOT/ace/config.h FILE [if you use a link to a platform-
specific file, simply state which one]:
#define ACE_HAS_SSL 1
#include "ace/config-win32.h"
THE $ACE_ROOT/include/makeinclude/platform_macros.GNU FILE [if you
use a link to a platform-specific file, simply state which one
(unless this isn't used in this case, e.g., with Microsoft Visual
C++)]:
N/A
BUILD METHOD USED:
Generated vc9 solutions via mpc
CONTENTS OF $ACE_ROOT/bin/MakeProjectCreator/config/default.features
(used by MPC when you generate your own makefiles):
ssl=1
qos=1
cidl=0
rwho=0
sctp=0
AREA/CLASS/EXAMPLE AFFECTED:
SSLIOP
DOES THE PROBLEM AFFECT:
EXECUTION
SYNOPSIS:
Need to support SSL/Non SSL clients
DESCRIPTION:
We have a server which I'm porting from visibroker to TAO. Clients
provide a callback object for receiving notifications via one of
two operations, one requires a user/password (without ssl), the
other examines the callers certificate for the username. The user/
pass is intented to be used by clients on our network and teh ssl
one access from the internet from third party clients.
What I have so far is teh non-ssl mechanism work for both registration
and sending out notifications to client callback objects. On the SSL
side of things I can only register teh callback object, any attempts
to push notifications to it cause a NO_PERMISSION exception to be
thrown as our application when it is pushing the events is not using
ssl, this I beleive is caused by the -SSLNoProtection option I have set
to allow none-ssl clients to connect.
Here are my conf files,
<server.conf>
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "-SSLNoProtection
-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:server-key.pem'
-SSLCertificate 'PEM:server-cert.pem' -SSLCAFile 'PEM:ca.pem'"
<client.conf>
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
"-SSLAuthenticate CLIENT -SSLPrivateKey
'PEM:ssl/trial-user2-key.pem' -SSLCertificate
'PEM:ssl/trial-user2-cert.pem' -SSLCAFile 'PEM:ssl/ca.pem'"
Note, both contain the following
dynamic Advanced_Resource_Factory Service_Object*
TAO_Strategies:_make_TAO_Advanced_Resource_Factory ()
"-ORBProtocolFactory SSLIOP_Factory"
static Client_Strategy_Factory "-ORBConnectStrategy blocked"
If I drop the -SSLNoProtection option ssl works fine, but then the none-
ssl route fails :-( Is it possible to do this? BTW, I'm using Bi-Dir
GIOP with the SSL clients, should this not mean the callback would
implicitly use SSL?
Regards, Vic
--
Victor Kirk
Analyst
Transportation Systems - Network Services
Serco
Cavendish House
Clearwater Park
Prince's Wharf
Stockton-on-Tees
TS17 6QY
Tel: +44 (0)1642 636894
This e-mail and any attachments are for the intended addressee(s) only
and may contain confidential and/or privileged material. If you are not a
named addressee, do not use, retain or disclose such information.
This email is not guaranteed to be free from viruses and does not bind
Serco in any contract or obligation.
Serco Limited. Registered in England and Wales. No: 242246
Registered Office: Serco House,16 Bartley Wood Business Park, Hook,
Hampshire RG27 9UY United Kingdom.
Help cut carbon...please don’t print this e-mail unless you really need to.
Christian Fromme
> If I drop the -SSLNoProtection option ssl works fine, but then the none-
> ssl route fails :-( Is it possible to do this?
>From what I have tested, the following setup does *not* work with
current TAO implementations:
Setup:
Client -- SSLIOP --> Server1 -- IIOP --> Server2
\
\- SSLIOP --> Server3
Because in the Config for Server1, you either put in "-SSLNoProtection",
or you don't. What is needed here would be an option like
"-SSLPermitUnsecure".
What you can do is a quick policy change as described in [0].
HTH,
Christian