Question about behavior of user supplied IceSSL::CertificateVerifier set with setCertificateVerifier

gmhgmh Greg HughesOrganization: Hewlett-PackardProject: Remote Graphics SoftwareMember

With the initialize IceSSL setup of for Ice 3.5.1:

Ice::PluginManagerPtr pluginMgr = m_communicator->getPluginManager( );
Ice::PluginPtr icePlugin = pluginMgr->getPlugin( "IceSSL" );
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast( icePlugin );
sslPlugin->setCertificateVerifier( new MyVerifier() );

and MyVerifier being:

class MyVerifier : IceSSL::CertificateVerifier
{
public:
bool verify( const IceSSL::NativeConnectionInfoPtr& info )
{
LOG(info->remoteAddress);
return false;
}
}

What is the correct usage of:
auto myPrx = MyPrx::checkedCast( base->ice_twoway()->ice_secure( true )->ice_timeout( timeout ) );
for multiple threads?

What we are observering is two threads hitting the code above and then a log is printed with the first address and both threads throw an Ice::Exception. I would expect both address to log.

Best Answer

  • gmhgmh Greg HughesOrganization: Hewlett-PackardProject: Remote Graphics Software
    Accepted Answer

    We found the issue. There was a thread safety problem upstream that caused us to attempt to connect to the same remote system twice, and we noticed the problem in the verifier. Thanks for your reply.

Answers

  • xdmxdm La Coruña, SpainJose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice DeveloperAdministrators, ZeroC Staff ZeroC Staff

    Hi Greg,

    If the supplied certificate verifier returns false the connection is expected to end with an exception see.

    It is perfectly safe to call proxy methods from multiple threads concurrently, regarding multiple threads calling verify at the same time this is expected as you are making invocations from multiple threads and the implementation of verify must be threadsafe to handle this, the fact that only the first address is printed could be a problem with LOG implementation, is the implementation of LOG synchronized?

    Hope this make things clear, let's us know if you need further clarifications.

    Cheers,
    José

  • gmhgmh Greg HughesOrganization: Hewlett-PackardProject: Remote Graphics SoftwareMember

    Thank you for the reply. We believe we are observing different than the expected behavior. Our logger is known to be thread safe, and we have done additional verification with an atomic counter. We will try to extract a small test program from our code and go from there.

  • xdmxdm La Coruña, SpainJose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice DeveloperAdministrators, ZeroC Staff ZeroC Staff

    You can try to set IceSSL.Trace.Security property to 1 you should see two messages like

    connection rejected by certificate verifier ....
    

    one for each connection rejected by the verifier see https://github.com/zeroc-ice/ice/blob/3.5/cpp/src/IceSSL/Instance.cpp#L1053

  • gmhgmh Greg HughesOrganization: Hewlett-PackardProject: Remote Graphics SoftwareMember
    Accepted Answer

    We found the issue. There was a thread safety problem upstream that caused us to attempt to connect to the same remote system twice, and we noticed the problem in the verifier. Thanks for your reply.

Sign In or Register to comment.