Re: [tao-users] I can't configure SSLIOP for block clients without valid certificate.
Ossama Othman
Comments below ...
> I begin to use SSLIOP looking for a way to protect that clients
> connect
> to server if don't have a good authentication.
> Of course I begin for readme some docs for build tao with ssl and
> ssliop.
> And I read de chapter of OCITAO Developers Guide, that explain the
> use
> of these features.
>
> I build TAO with SSL.
> And go to run test that exists in
> $TAO_ROOT/orbsvcs/tests/Security/MT_SSLIOP.
>
> I learn to use server.conf and client.conf
> But I don't obtain result that I imagine.
>
> I attach PRF for more details but here goes some info.
> TAO VERSION: 1.5a
> HOST MACHINE and OPERATING SYSTEM:
> PC: Core 2 duo 1.6 GHZ, 1GB RAM, 80 GB HDD.
> Debian ETCH.
> Kernel 2.6.18-4
> Compiler G++ 4.1.2
>
> LEVEL OF URGENCY (LOW, MEDIUM, or HIGH):
> MEDIUM
> AREA/CLASS/EXAMPLE AFFECTED:
> test used: TAO/orbsvcs/tests/Security/MT_SSLIOP
> DOES THE PROBLEM AFFECT:
> EXECUTION?
>
> Problem:
> I can't configure SSLIOP for block clients without valid certificate.
>
>
> DESCRIPTION:
>
> I use test $TAO_ROO/orbsvcs/tests/Security/MT_SSLIOP
> This test have a client and server that connect using SSLIOP.
>
> Here I describe 4 test.
>
> First Test.
>
> run server
> ./server -o server.ior -n 1 -ORBDebuglevel 0 -ORBsvcConf server.conf
>
> server.conf file have de following
> dynamic SSLIOP_Factory Service_Object *
> TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
> "-SSLPrivateKey PEM:pvtkey.pem -SSLCertificate
> PEM:selfsigncert.pem"
> static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
>
> run client
> ./client -k file://server.ior -ORbDebuglevel 1 -ORBSvcConf client.conf
>
> client.conf have the following lines (Original TAO File):
> dynamic SSLIOP_Factory Service_Object *
> TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
> "-SSLCertificate PEM:selfsigncert.pem"
> static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
> Results: In first test All work fine, client invoke server's
> methods an
> works.
> -------------------------------------------------------------------------------------------
>
> Second test,
> Runing the Server like first test.
>
> runing client without client.conf
> ./client -k file://server.ior -ORbDebuglevel 0
>
> (5552|3052272528) EXCEPTION, Client_Worker : Exception Raised
> system exception, ID 'IDL:omg.org/CORBA/NO_PERMISSION:1.0
> <http://omg.org/CORBA/NO_PERMISSION:1.0>'
> Unknown vendor minor code id (0), minor code = 0, completed = NO
>
> Results:
> Client can't connect to server because no SSLIOP is configured,
> for me
> OK, all work fine.
> ---------------------------------------------------------------------------------------------
>
> Test number 3.
> Now I need that configure in server.conf and client.conf in a way
> that
> server denied to client invocation if client no use a correct
> certificate.
>
> In this test I leave server.conf exactly in a TAO original file.
> dynamic SSLIOP_Factory Service_Object *
> TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
> "-SSLPrivateKey PEM:pvtkey.pem -SSLCertificate
> PEM:selfsigncert.pem"
> static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
> and run in the same way
> ./server -o server.ior -n 1 -ORBDebuglevel 0 -ORBsvcConf server.conf
>
> I change client.conf removing certificate of the original file.
> client.conf have the following lines (Original TAO File):
> dynamic SSLIOP_Factory Service_Object *
> TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
> ""
> static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
> ./client -k file://server.ior -ORbDebuglevel 1 -ORBSvcConf client.conf
>
> Results!!!!!!
> Client connect and works fine. If I don't use a certificate how
> client
> can connect.?
> I suppose that server need some extra configuration that force to
> clients authentication. that's test number 4
That's right. The default authentication mode is "NONE". Venkat's
"SERVER_AND_CLIENT" proposed solution is correct.
> ------------------------------------------------------------------------------------------
>
> Test number 4.
>
> Modify the server.conf file with this SSLAuthenticate SERVER
> server.conf file have de following
> dynamic SSLIOP_Factory Service_Object *
> TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
> "-SSLAuthenticate SERVER -SSLPrivateKey PEM:pvtkey.pem
> -SSLCertificate PEM:selfsigncert.pem"
> static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
>
> An client.conf mantain without certificate like in test number 3.
>
> Results!!!!!. All works like if no protection exist?
Just to be clear, some protection does still exist. It is certificates
that are not being verified. Encrypted communication should occur as
configured.
In any case, "-SSLAuthenticate SERVER" on the server side only causes
the server to request a certificate from the client. Only if the client
returns a certificate to the server is certificate verification
performed. Otherwise, no verification failure will occur. This is the
same behavior described by OpenSSL's "SSL_VERIFY_PEER" verification mode
described here:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES
Recall that TAO_SSLIOP is implemented in terms of OpenSSL (through
ACE_SSL). It is for this reason that you must specify the
"-SSLAuthenticatate SERVER_AND_CLIENT" or "-SSLAuthenticate CLIENT" TAO
SSLIOP factory option on the server side to force rejection of clients
without a certificate (analogous to OpenSSL's
"SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT" mode).
> ----------------------------------------------------------------------
>
> What I'm doing Bad.
> Ca any body help me with this problem.
> I read that with Current object, I can resolve this problem but my
> idea
> is add some extra security to old objects without extra programming.
> Can I block clients just using certificates and keys, and using
> SSLIOP?
> Or I need to change server object code for validate clients?
> Thanks and regards.
> Samuel...
All of the necessary information for "-SSLAuthenticate" SSLIOP factory
option is described in the current OCI TAO 1.4a Developer's Guide, the
description of which also applies to 1.5a. Contracting support through
OCI may be the way to go should you need or desire additional help with
OCI TAO 1.5a.
As Doug mentioned, OCI provides commercial support for TAO, as well as
several other open-source products. If you're interested in support for
your company, please contact sa...@ociweb.com for information on opening
a support contract.
For more details, please see:
http://www.theaceorb.com/support
or contact:
HTH,
-Ossama
--
Ossama Othman <oth...@ociweb.com>
Object Computing, Inc.
Ossama Othman
On Thu, 2008-04-10 at 22:48 -0700, Ossama Othman wrote:
> All of the necessary information for "-SSLAuthenticate" SSLIOP factory
> option is described in the current OCI TAO 1.4a Developer's Guide, the
> description of which also applies to 1.5a.
I should mention that the options are described in Section 29.6.2
"Configuring and Loading SSLIOP" in the OCI TAO 1.4a Developer's Guide.
samuel Gonzalez
I read all your suggestions.
>>In any case, "-SSLAuthenticate SERVER" on the server side only causes
>>the server to request a certificate from the client. Only if the client
>>returns a certificate to the server is certificate verification
>>performed. Otherwise, no verification failure will occur. This is the
>>same behavior described by OpenSSL's "SSL_VERIFY_PEER" verification mode
>>described here:
>>http://www.openssl.org/docs
>>/ssl/SSL_CTX_set_verify.html#NOTES
>>Recall that TAO_SSLIOP is implemented in terms of OpenSSL (through
>>ACE_SSL). It is for this reason that you must specify the
>>"-SSLAuthenticatate SERVER_AND_CLIENT" or "-SSLAuthenticate CLIENT" TAO
>>SSLIOP factory option on the server side to force rejection of clients
>>without a certificate (analogous to OpenSSL's
>>"SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT" mode).
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
I maintain client.conf whitout any certifcate like this:
dynamic SSLIOP_Factory Service_Object *
TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()
""
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
./server -o server.ior -n 1 -ORBDebuglevel 1 -ORBsvcConf server.conf
Running client.
./client -k file://server.ior -ORbDebuglevel 1 -ORBSvcConf client.conf
Server not reject any request of client.
I read TAO Developers Guide 2.9, and no find any point that resolve my problem.
I don want to use CURRENT, for make this, because I have to change all my old servers.
I'n downloading last DOC TAO version, for change the OCI 1.5a version to las stable (no beta), TAO release, I will repeat my last test.
I think that I don't make all steps, and something are wrong in my configurations.
Thanks Again,
Samuel...
All of the necessary information for "-SSLAuthenticate" SSLIOP factory
option is described in the current OCI TAO 1.4a Developer's Guide, the
description of which also applies to 1.5a. Contracting support through
OCI may be the way to go should you need or desire additional help with
OCI TAO 1.5a.
As Doug mentioned, OCI provides commercial support for TAO, as well as
several other open-source products. If you're interested in support for
your company, please contact sa...@ociweb.com for information on opening
a support contract.
For more details, please see:
http://www.theaceorb.com/support
or contact:
sa...@ociweb.com
HTH,
-Ossama
--
Ossama Othman <oth...@ociweb.com>
Object Computing, Inc.
_______________________________________________
tao-users mailing list
tao-...@list.isis.vanderbilt.edu
http://list.isis.vanderbilt.edu/mailman/listinfo/tao-users
Johnny Willemsen
Hi,
Please download x.6.3, it is labeled as beta, but it is really more a micro release. Some info about the labeling is in the TAO Programmers Guide which you can obtain from www.theaceorb.nl.
Johnny