This forum has been archived. Please start a new discussion on GitHub.

Ice 3.5.1: IceSSL.DefaultDir not respected if certificate found in cwd suggests, that IceSSL.DefaultDir is always looked at first when finding certificates:


Specifies the default directory in which to look for certificate, key, and key store files. See the descriptions of the relevant properties for more information. says:

IceSSL.CertAuthFile=file (C++, Ice Touch)

Specifies a file containing the certificate of a trusted certificate authority. The file name may be specified relative to the default directory defined by IceSSL.DefaultDir.
Platform Notes

The certificate must be encoded using the PEM format.

Apparently this is not the case (example from Ice unit tests, which uses ../certs/ as IceSSL.DefaultDir):
[root@srv ~/Ice-3.5.1/cpp/test/IceSSL/configuration]# ./
starting server... ok
starting client... ok
testing manual initialization... ok
testing certificate verification... ok
testing custom certificate verifier... ok
testing protocols... ok
testing expired certificates... ok
testing CA certificate directory... ok
testing password prompt... ok
testing ciphers... ok
testing IceSSL.TrustOnly... ok
testing IceSSL.TrustOnly.Client... ok
testing IceSSL.TrustOnly.Server... ok
testing IceSSL.TrustOnly.Server.<AdapterName>... ok

[root@srv ~/Ice-3.5.1/cpp/test/IceSSL/configuration]# touch cacert1.pem
[root@srv ~/Ice-3.5.1/cpp/test/IceSSL/configuration]# ./
starting server... ok
starting client... ok
testing manual initialization... ok
testing certificate verification... Outgoing.c-! 03/23/15 17:13:47.049 warning: dispatch exception: Instance.cpp:481: Ice::PluginInitializationException:
pp:499: Ice::Unkn   plug-in initialization failed: IceSSL: unable to establish CA certificates
own   identity: factory
Lo   operation: createServer
calE   remote host: remote port: 41083
unknown local except-! 03/23/15 17:13:47.052 warning: connection exception:
Instance.cpp:481   TcpTransceiver.cpp:284: Ice::ConnectionLostException:
   connection lost: recv() returned zero
: Ice::PluginInitializationExcept   local address =
ion:   remote address =

plug-in initialization failed: IceSSL: unable to establish CA certificates
unexpected exit status: expected: 0, got 1

When checking the settings using checkPath, Ice actually does verify that files exist in the correct locations, but then does this in Instance.cpp line 424, which leads to the described behavior:
               string caFile = properties->getProperty(propPrefix + "CertAuthFile");
               string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", defaultDir);

                const char* file = 0;
                const char* dir = 0;
                    if(!checkPath(caFile, defaultDir, false))
                        PluginInitializationException ex(__FILE__, __LINE__);
                        ex.reason = "IceSSL: CA certificate file not found:\n" + caFile;
                        throw ex;
                    file = caFile.c_str();
                    if(!checkPath(caDir, defaultDir, true))
                        PluginInitializationException ex(__FILE__, __LINE__);
                        ex.reason = "IceSSL: CA certificate directory not found:\n" + caDir;
                        throw ex;
                    dir = caDir.c_str();
                if(file || dir)
                    // The certificate may be stored in an encrypted file, so handle
                    // password retries.
                    int count = 0;
                    int err = 0;
                    while(count < passwordRetryMax)
                        err = SSL_CTX_load_verify_locations(_ctx, file, dir);

This is quite surprising, as the meaning of a configuration changes based on your current working directory - we actually experienced this first hand when an application was started from a directory that contained a CA certificate of the same name as the one configured.

Based on the code I would also assume that setting IceSSL.CertAuthFile, IceSSL.CertAuthDir and IceSSL.DefaultDir at the same time could lead to surprising results.

I didn't have a chance to test this myself yet, but I would assume that making const char *file point to a string that is composed of IceSSL.DefaultDir and IceSSL.CertAuthFile in the same way as checkPath verifies the existence of the file, should resolve the issue.


  • mes
    mes California
    Thanks Michael, we'll look into it.