Archived
This forum has been archived. Please start a new discussion on GitHub.
IceSSL self signing
Hi,
I am trying to get a registry running that only allows connections via SSL from nodes or servers that have the appropriate certificate.
I have read through http://www.zeroc.com/doc/Ice-3.2.1/manual/IceSSL.43.7.html and also issue 17 of the newsletter.
So far I have created a CA with the default CN="Grid CA", certificates for registry and server, signed them, and converted all to jks.
My icegridregistry config contains
and my server which wants to dynamically register contains
On the server I get "IceSSL: handshake error" and on the registry I get:
Thanks.
I am trying to get a registry running that only allows connections via SSL from nodes or servers that have the appropriate certificate.
I have read through http://www.zeroc.com/doc/Ice-3.2.1/manual/IceSSL.43.7.html and also issue 17 of the newsletter.
So far I have created a CA with the default CN="Grid CA", certificates for registry and server, signed them, and converted all to jks.
My icegridregistry config contains
Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.DefaultDir=certs IceSSL.CertAuthFile=ca_cert.pem IceSSL.CertFile=registry_cert.pem IceSSL.KeyFile=registry_key.pem
and my server which wants to dynamically register contains
Ice.Plugin.IceSSL=IceSSL.PluginFactory IceSSL.DefaultDir=certs IceSSL.Keystore=server.jks IceSSL.TruststorePassword=changeme IceSSL.Truststore=ca.jks
On the server I get "IceSSL: handshake error" and on the registry I get:
[ 01/30/08 16:28:33.905 Security: certificate verification failure issuer = /CN=Grid CA/O=GridCA-dtp0018951/emailAddress=asdf subject = /CN=Grid CA/O=GridCA-dtp0018951/emailAddress=asdf depth = 1 error = self signed certificate in certificate chain local address = 10.68.229.61:4062 remote address = 10.68.229.161:4228 ]
Thanks.
0
Comments
-
Hi,
This error generally indicates a "trust" issue, i.e., one peer doesn't trust the CA certificate sent by the other peer. Normally this shouldn't happen in a controlled experiment like yours because the same CA certificate should be used by the server and the registry. Did you perhaps generate the CA certificate multiple times, such that the server and registry might accidentally be using different CA certificates?
You can use the Java keytool utility to display the contents of ca.jks:
$ keytool -list -v -keystore ca.jks
And then use openssl to display the contents of ca_cert.pem:
$ openssl x509 -in ca_cert.pem -text
Then compare the "authority key identifiers" to see if they match.
Let us know if you're still having trouble.
Take care,
- Mark0 -
Looks as if I had a copy-paste error; once corrected that error goes away but now a new one.
Using IceGridGUI.jar configured with the appropriate key and truststore I can connect to the registry (on host redbourn) via SSL. The same code that was giving my the SSL errors now gives different errors. This is code that works when used without SSL; it creates an object adapter and dynamically registers it with the registry.- setting AppInfo.AdapterId to: dtp0018951.AppHelperIceGrid_main.AppInfo [ 1/31/08 09:58:28:054 Security: enabling SSL ciphersuites: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ] [ 1/31/08 09:58:28:195 Security: IceSSL: ignoring certificate validation failure: peer certificate does not contain `redbourn' in its subjectAltName extension ] [ 1/31/08 09:58:28:195 Security: SSL summary for outgoing connection cipher = SSL_RSA_WITH_RC4_128_MD5 protocol = TLSv1 local address = 10.68.229.161:2765 remote address = 10.68.229.61:4062 ] - setting up object adapter Ice.ConnectionRefusedException error = 0 at IceInternal.Network.doConnect(Network.java:320) at IceInternal.TcpConnector.connect(TcpConnector.java:26) at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323) at IceInternal.RoutableReference.createConnection(RoutableReference.java:433) at IceInternal.DirectReference.getConnection(DirectReference.java:199) at Ice._ObjectDelM.setup(_ObjectDelM.java:258) at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1055) at Ice.LocatorRegistryPrxHelper.setAdapterDirectProxy(LocatorRegistryPrxHelper.java:49) at Ice.LocatorRegistryPrxHelper.setAdapterDirectProxy(LocatorRegistryPrxHelper.java:21) at Ice.ObjectAdapterI.updateLocatorRegistry(ObjectAdapterI.java:1193) at Ice.ObjectAdapterI.activate(ObjectAdapterI.java:81) at com.enbridge.ice.util.AppHelperIceGrid.init(AppHelperIceGrid.java:134) at com.enbridge.ice.util.AppHelperIceGrid.main(AppHelperIceGrid.java:181) Caused by: java.net.ConnectException: Connection refused: no further information at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) at sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source) at IceInternal.Network.doConnect(Network.java:307) ... 12 more
and the corresponding log on the registry:[ 01/31/08 10:07:33.950 Network: attempting to accept ssl connection local address = 10.68.229.61:4062 remote address = 10.68.229.161:2808 ] [ 01/31/08 10:07:34.604 Network: accepted ssl connection local address = 10.68.229.61:4062 remote address = 10.68.229.161:2808 ] [ 01/31/08 10:07:34.604 Security: SSL summary for incoming connection cipher = RC4-MD5 bits = 128 protocol = TLSv1 local address = 10.68.229.61:4062 remote address = 10.68.229.161:2808 ] [ 01/31/08 10:07:38.625 Network: shutting down ssl connection for writing local address = 10.68.229.61:4062 remote address = 10.68.229.161:2808 ] [ 01/31/08 10:07:38.625 Network: closing ssl connection local address = 10.68.229.61:4062 remote address = 10.68.229.161:2808 ]
FYI: I had to useopenssl x509 -in ca_cert.pem -text
Thanks.0 -
Hi,
The stack trace for the ConnectionRefusedException indicates that the object adapter is attempting to contact the locator (i.e., the IceGrid registry) using TCP. If this is supposed to use SSL, are you sure that you configured the locator endpoints correctly?FYI: I had to useopenssl x509 -in ca_cert.pem -text
Take care,
- Mark0 -
Server config:
Ice.Default.Locator = IceGrid/Locator:ssl -h redbourn -p 4062 AppInfo.AdapterId=AppInfoAdapter0001 AppInfo.Endpoints=tcp AppInfo.ThreadPool.Size=5 # # Warn about connection exceptions # Ice.Warn.Connections=2 # # Security Tracing # # 0 = no security tracing # 1 = trace messages # IceSSL.Trace.Security=1 # # SSL Configuration # Ice.Plugin.IceSSL=IceSSL.PluginFactory IceSSL.DefaultDir=certs IceSSL.Keystore=server.jks #IceSSL.KeystorePassword=changeme IceSSL.TruststorePassword=changeme IceSSL.Truststore=ca.jks
Registry config:IceGrid.Registry.Client.Endpoints = ssl -p 4062 -t 5000 IceGrid.Registry.Server.Endpoints = tcp -h localhost -t 5000 IceGrid.Registry.Internal.Endpoints = tcp -h localhost -t 5000 # this allows anyone to connect and modify the registry at any time IceGrid.Registry.AdminPermissionsVerifier = IceGrid/NullPermissionsVerifier # this passwd file allows simple, file-based credentials verification #IceGrid.Registry.AdminCryptPasswords = /home/courtt/ice/registry/passwd # this is where the registry database will live IceGrid.Registry.Data = /home/ederr/ice/node/registry # servers can register themselves dynamically (instead of having the server # only know about the ones we tell it about ahead of time) IceGrid.Registry.DynamicRegistration = 1 # Node Config ############################ Ice.Default.Locator = IceGrid/Locator:ssl -h localhost -p 4062 # Debugging ########################### Ice.Trace.Network = 2 Ice.Trace.Location = 1 Ice.Trace.Retry = 1 IceGrid.Registry.Trace.Replica = 2 IceGrid.Registry.Trace.Node = 1 IceGrid.Node.Trace.Replica = 1 IceSSL.Trace.Security=1 # # SSL Configuration # http://www.zeroc.com/doc/Ice-3.2.1/manual/PropRef.50.10.html Ice.Plugin.IceSSL=IceSSL:createIceSSL #IceSSL.VerifyPeer=0 IceSSL.DefaultDir=certs IceSSL.CertAuthFile=ca_cert.pem IceSSL.CertFile=registry_cert.pem IceSSL.KeyFile=registry_key.pem
0 -
Hi,
Are the server and registry running on the same host? I ask this because I see that you are using -h localhost in the IceGrid configuration for the Registry.Server.Endpoints and Registry.Internal.Endpoints properties. This configuration could cause a ConnectionRefusedException if the server and registry are running on different hosts.
I recommend running the server with --Ice.Trace.Network=2 to verify exactly which host and port the server is attempting to connect with when the exception occurs. If you're still having trouble, please post this trace information, along with the same trace information for the registry.
Take care,
- Mark0 -
Yes, server and registry are on different hosts. Switching all the 'localhost' to 'redbourn' in the registry config fixed it. Thanks.0