[tao-users] CORBA SSLIOP client with multiple SSL-certificates

Phil Mesnier mesnierp at ociweb.com
Thu Jun 9 15:07:33 CDT 2016


Hi Bernhard,

Thank you for your PRF. 

For the time being there is no way to use multiple certs within an application. The problem is that  ACE_SSL_Context used by TAO_SSLIOP as a singleton. ACE_SSL_Context is a wrapper/container for the SSL_CTX accessor, through which all SSL configuration and behavior are managed. 

I don't think there is a fundamental technical reason why ACE_SSL_Context must be a singleton. I suspect it just was in the beginning to avoid some potential headaches, and since before now, no one has demanded multiple security contexts. I recall once looking into creating multiple contexts in anticipation of a scenario such as yours. However it  quickly became clear that the scope of the effort was much more than what I wanted to commit to a whim. 

If we limit it to the multiplicity to no more than 1 context per orb, then we could probably use the "Local" service configuration to define multiple SSLIOP Factory objects holding different credentials. If we start thinking beyond that scenario, where multiple ORBs act as different "users" and think about the possibility of multiple contexts within a single ORB, then I think the issue becomes a lot more complicated, requiring a much more detailed configuration than what we currently support with command line and svc.conf files.

As I said, this is a bigger job than I'm able to take on gratis, but if you are interested in funding the effort contact me directly and we can discuss. Also you are welcome to work on the solution yourself and contribute ti back to the DOC Group via github.

Best regards,
Phil


> On Jun 9, 2016, at 12:53 AM, NEUHOFER Bernhard <bneuhofer at EUROFUNK.COM> wrote:
> 
> Hi,
>  
> TAO VERSION: 2.3.4
> ACE VERSION: 6.3.4
>  
> HOST MACHINE and OPERATING SYSTEM:
> Suse Enterprise Linux 11 SP3
>  
>  
> COMPILER NAME AND VERSION (AND PATCHLEVEL):
> gcc (SUSE Linux) 4.7.2 20130108 [gcc-4_7-branch revision 195014]
>  
> DOES THE PROBLEM AFFECT:
>     COMPILATION? No
>     LINKING? No
>     EXECUTION? Yes
>  
> SYNOPSIS:
> A multithreaded client which connects to multiple CORBA-Servers simultaneously via SSLIOP. Each Server has the same CORBA-Interface but a different set of SSL-Keys.
>  
> DESCRIPTION:
>  
> I'm trying to write a client with the ACE+TAO framework which connects to multiple CORBA-Servers simultaneously (Separate ORB for each connection). Each Server has the same CORBA-Interface but a different set of SSL-Keys.
>  
> So each client has to use different SSL-Keys to be able to connect to the server.
>  
> I've got multiple client configs:
>  
> dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:client3-key.pem' -SSLCertificate 'PEM:client3-client-cert.pem' -SSLCAFile 'PEM:client3-cacert.pem'"
> dynamic Advanced_Resource_Factory Service_Object* TAO_Strategies:_make_TAO_Advanced_Resource_Factory() "-ORBProtocolFactory SSLIOP_Factory"
>  
> static Client_Strategy_Factory "-ORBConnectStrategy blocked"
>  
> When I initialize the first ORB then I can see that the SSLIOP Protocol is loaded and the keys for the first client are also loaded. The connection to the first server then works as intended.
>  
> But when I try to initialize a connection to the second Server (which uses different SSL-Keys) I can see that when the new ORB is initialized the SSLIOP Protocol is not initialized and still uses the SSL-Keys from the first server. As a consequence the connection to the second server fails.
>  
> CORBA::Object_var object = m_orb->string_to_object(m_ior_file.c_str());
>  
> fails with CORBA::TRANSIENT because the Keys do not match the server.
>  
> I tried passing "-ORBGestalt" "Local" and "-ORBCollocation" "no" to CORBA::ORB_init(), but without any success still the SSLIOP Protocol is only being configured the first time.
>  
>  
>  
> Is there any way to specify different SSL-Keys for different IORs or to reconfigure the SSLIOP Protocol for each ORB?
>  
> Any hint or keyword for a search is highly appreciated. Thank you!
>  
> Best regards,
> Bernhard Neuhofer
>  
>  
> _______________________________________________
> tao-users mailing list
> tao-users at list.isis.vanderbilt.edu <mailto:tao-users at list.isis.vanderbilt.edu>
> http://list.isis.vanderbilt.edu/cgi-bin/mailman/listinfo/tao-users <http://list.isis.vanderbilt.edu/cgi-bin/mailman/listinfo/tao-users>
--
Phil Mesnier
Principal Engineer & Partner

OCI | WE ARE SOFTWARE ENGINEERS.
tel  +1.314.579.0066 x225
ociweb.com <http://ociweb.com/>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.isis.vanderbilt.edu/pipermail/tao-users/attachments/20160609/10a0c64e/attachment.html>


More information about the tao-users mailing list