Home Help Center

Exception in IceSSL.TrustManager

sol79sol79 Member Oleg SukhoroslovOrganization: ISA RASProject: Distributed computing
Hi,

I have an Ice server application with two object adapters - external for clients and internal for other servers. Both are listening over SSL, but external one can accept incoming calls from clients without certificate, while internal adapter requires a valid certificate. So I configured IceSSL plugin (Java) as follows:
IceSSL.VerifyPeer=1
IceSSL.TrustOnly.Server.InternalAdapter="CN="Trusted Server""

Everything worked fine until I tried to check what will happen when a client without certificate connects to internal adapter. I expected the connection to be rejected, but instead the server crashed with this exception:

java.lang.NullPointerException
at IceSSL.TrustManager.verify(TrustManager.java:90)
at IceSSL.Instance.verifyPeer(Instance.java:704)
at IceSSL.TransceiverI.handshakeCompleted(TransceiverI.java:766)
at IceSSL.TransceiverI.handshake(TransceiverI.java:573)
at IceSSL.TransceiverI.write(TransceiverI.java:190)
at Ice.ConnectionI.validate(ConnectionI.java:120)
at IceInternal.IncomingConnectionFactory.message(IncomingConnectionFactory.java:313)
at IceInternal.ThreadPool.run(ThreadPool.java:782)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:1242)

Looking inside the code I found that there's no safe check whether info.cert is null (just whether it is empty), which apparently caused the exception. With such behavior I can't make my server secure against attacks. Am I using a wrong approach for server configuration or this is sort of bug to be fixed?

Thanks

Comments

  • mesmes CaliforniaAdministrators, ZeroC Staff Mark SpruiellOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff
    Hi,

    That's a bug in IceSSL. You can fix it by replacing line 90 of TrustManager.java with the following:
            if(info.certs != null && info.certs.length != 0)
    
    Thanks for reporting this problem; it will be fixed in the next release.

    Take care,
    - Mark
  • sol79sol79 Member Oleg SukhoroslovOrganization: ISA RASProject: Distributed computing
    Thanks for fast reply!
Sign In or Register to comment.