Archived

This forum has been archived. Please start a new discussion on GitHub.

IceSSL self signing

Hi,

I am trying to get a registry running that only allows connections via SSL from nodes or servers that have the appropriate certificate.

I have read through http://www.zeroc.com/doc/Ice-3.2.1/manual/IceSSL.43.7.html and also issue 17 of the newsletter.

So far I have created a CA with the default CN="Grid CA", certificates for registry and server, signed them, and converted all to jks.

My icegridregistry config contains
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=certs
IceSSL.CertAuthFile=ca_cert.pem
IceSSL.CertFile=registry_cert.pem
IceSSL.KeyFile=registry_key.pem

and my server which wants to dynamically register contains
Ice.Plugin.IceSSL=IceSSL.PluginFactory
IceSSL.DefaultDir=certs
IceSSL.Keystore=server.jks
IceSSL.TruststorePassword=changeme
IceSSL.Truststore=ca.jks

On the server I get "IceSSL: handshake error" and on the registry I get:
[ 01/30/08 16:28:33.905 Security: certificate verification failure
  issuer = /CN=Grid CA/O=GridCA-dtp0018951/emailAddress=asdf
  subject = /CN=Grid CA/O=GridCA-dtp0018951/emailAddress=asdf
  depth = 1
  error = self signed certificate in certificate chain
  local address = 10.68.229.61:4062
  remote address = 10.68.229.161:4228 ]

Thanks.

Comments

  • mes
    mes California
    Hi,

    This error generally indicates a "trust" issue, i.e., one peer doesn't trust the CA certificate sent by the other peer. Normally this shouldn't happen in a controlled experiment like yours because the same CA certificate should be used by the server and the registry. Did you perhaps generate the CA certificate multiple times, such that the server and registry might accidentally be using different CA certificates?

    You can use the Java keytool utility to display the contents of ca.jks:

    $ keytool -list -v -keystore ca.jks

    And then use openssl to display the contents of ca_cert.pem:

    $ openssl x509 -in ca_cert.pem -text

    Then compare the "authority key identifiers" to see if they match.

    Let us know if you're still having trouble.

    Take care,
    - Mark
  • Looks as if I had a copy-paste error; once corrected that error goes away but now a new one.

    Using IceGridGUI.jar configured with the appropriate key and truststore I can connect to the registry (on host redbourn) via SSL. The same code that was giving my the SSL errors now gives different errors. This is code that works when used without SSL; it creates an object adapter and dynamically registers it with the registry.
    - setting AppInfo.AdapterId to: dtp0018951.AppHelperIceGrid_main.AppInfo
    [ 1/31/08 09:58:28:054 Security: enabling SSL ciphersuites:
        SSL_RSA_WITH_RC4_128_MD5
        SSL_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ]
    [ 1/31/08 09:58:28:195 Security: IceSSL: ignoring certificate validation failure:
      peer certificate does not contain `redbourn' in its subjectAltName extension ]
    [ 1/31/08 09:58:28:195 Security: SSL summary for outgoing connection
      cipher = SSL_RSA_WITH_RC4_128_MD5
      protocol = TLSv1
      local address = 10.68.229.161:2765
      remote address = 10.68.229.61:4062 ]
    - setting up object adapter
    Ice.ConnectionRefusedException
        error = 0
    	at IceInternal.Network.doConnect(Network.java:320)
    	at IceInternal.TcpConnector.connect(TcpConnector.java:26)
    	at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:323)
    	at IceInternal.RoutableReference.createConnection(RoutableReference.java:433)
    	at IceInternal.DirectReference.getConnection(DirectReference.java:199)
    	at Ice._ObjectDelM.setup(_ObjectDelM.java:258)
    	at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:1055)
    	at Ice.LocatorRegistryPrxHelper.setAdapterDirectProxy(LocatorRegistryPrxHelper.java:49)
    	at Ice.LocatorRegistryPrxHelper.setAdapterDirectProxy(LocatorRegistryPrxHelper.java:21)
    	at Ice.ObjectAdapterI.updateLocatorRegistry(ObjectAdapterI.java:1193)
    	at Ice.ObjectAdapterI.activate(ObjectAdapterI.java:81)
    	at com.enbridge.ice.util.AppHelperIceGrid.init(AppHelperIceGrid.java:134)
    	at com.enbridge.ice.util.AppHelperIceGrid.main(AppHelperIceGrid.java:181)
    Caused by: java.net.ConnectException: Connection refused: no further information
    	at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
    	at sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source)
    	at IceInternal.Network.doConnect(Network.java:307)
    	... 12 more
    

    and the corresponding log on the registry:
    [ 01/31/08 10:07:33.950 Network: attempting to accept ssl connection
      local address = 10.68.229.61:4062
      remote address = 10.68.229.161:2808 ]
    [ 01/31/08 10:07:34.604 Network: accepted ssl connection
      local address = 10.68.229.61:4062
      remote address = 10.68.229.161:2808 ]
    [ 01/31/08 10:07:34.604 Security: SSL summary for incoming connection
      cipher = RC4-MD5
      bits = 128
      protocol = TLSv1
      local address = 10.68.229.61:4062
      remote address = 10.68.229.161:2808 ]
    [ 01/31/08 10:07:38.625 Network: shutting down ssl connection for writing
      local address = 10.68.229.61:4062
      remote address = 10.68.229.161:2808 ]
    [ 01/31/08 10:07:38.625 Network: closing ssl connection
      local address = 10.68.229.61:4062
      remote address = 10.68.229.161:2808 ]
    

    FYI: I had to use
    openssl x509 -in ca_cert.pem -text
    

    Thanks.
  • mes
    mes California
    Hi,

    The stack trace for the ConnectionRefusedException indicates that the object adapter is attempting to contact the locator (i.e., the IceGrid registry) using TCP. If this is supposed to use SSL, are you sure that you configured the locator endpoints correctly?
    gumshoe wrote: »
    FYI: I had to use
    openssl x509 -in ca_cert.pem -text
    
    Oops. I've fixed my post. :)

    Take care,
    - Mark
  • Server config:
    Ice.Default.Locator = IceGrid/Locator:ssl -h redbourn -p 4062
    AppInfo.AdapterId=AppInfoAdapter0001
    AppInfo.Endpoints=tcp
    AppInfo.ThreadPool.Size=5
    
    #
    # Warn about connection exceptions
    #
    Ice.Warn.Connections=2
    
    #
    # Security Tracing
    #
    # 0 = no security tracing
    # 1 = trace messages
    #
    IceSSL.Trace.Security=1
    
    #
    # SSL Configuration
    #
    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    IceSSL.DefaultDir=certs
    IceSSL.Keystore=server.jks
    #IceSSL.KeystorePassword=changeme
    IceSSL.TruststorePassword=changeme
    IceSSL.Truststore=ca.jks
    
    
    Registry config:
    IceGrid.Registry.Client.Endpoints = ssl -p 4062 -t 5000
    
    IceGrid.Registry.Server.Endpoints = tcp -h localhost -t 5000
    IceGrid.Registry.Internal.Endpoints = tcp -h localhost -t 5000
    
    # this allows anyone to connect and modify the registry at any time
    IceGrid.Registry.AdminPermissionsVerifier = IceGrid/NullPermissionsVerifier
    
    # this passwd file allows simple, file-based credentials verification
    #IceGrid.Registry.AdminCryptPasswords = /home/courtt/ice/registry/passwd
    
    # this is where the registry database will live
    IceGrid.Registry.Data = /home/ederr/ice/node/registry
    
    # servers can register themselves dynamically (instead of having the server
    # only know about the ones we tell it about ahead of time)
    IceGrid.Registry.DynamicRegistration = 1
    
    # Node Config
    ############################
    
    Ice.Default.Locator = IceGrid/Locator:ssl -h localhost -p 4062
    
    # Debugging
    ###########################
    Ice.Trace.Network = 2
    Ice.Trace.Location = 1
    Ice.Trace.Retry = 1
    IceGrid.Registry.Trace.Replica = 2
    IceGrid.Registry.Trace.Node = 1
    IceGrid.Node.Trace.Replica = 1
    IceSSL.Trace.Security=1
    
    #
    # SSL Configuration
    # http://www.zeroc.com/doc/Ice-3.2.1/manual/PropRef.50.10.html
    Ice.Plugin.IceSSL=IceSSL:createIceSSL
    #IceSSL.VerifyPeer=0
    IceSSL.DefaultDir=certs
    IceSSL.CertAuthFile=ca_cert.pem
    IceSSL.CertFile=registry_cert.pem
    IceSSL.KeyFile=registry_key.pem
    
  • mes
    mes California
    Hi,

    Are the server and registry running on the same host? I ask this because I see that you are using -h localhost in the IceGrid configuration for the Registry.Server.Endpoints and Registry.Internal.Endpoints properties. This configuration could cause a ConnectionRefusedException if the server and registry are running on different hosts.

    I recommend running the server with --Ice.Trace.Network=2 to verify exactly which host and port the server is attempting to connect with when the exception occurs. If you're still having trouble, please post this trace information, along with the same trace information for the registry.

    Take care,
    - Mark
  • Yes, server and registry are on different hosts. Switching all the 'localhost' to 'redbourn' in the registry config fixed it. Thanks.