Archived

This forum has been archived. Please start a new discussion on GitHub.

Patch to prevent IceGrid node and registry replica name spoofing

The attached patch - originally developed by me and refined by Benoit Foucher - improves IceGrid security by comparing the CN component of the SSL certificate presented by a node or replica to the name it's registering with. This way a node or replica cannot pretend to be another node. This is useful to protect against malicious attacks as well as misconfiguration by accident (until now the recommended method of configuring IceGrid was to share one node certificate among all grid nodes and one for all registries). See also http://www.zeroc.com/forums/help-center/5416-icegrid-security-question.html for the original discussion and motivation for this improvement.

The patch is applied like this:

cd Ice-3.4.2
patch -p1 < patch-secure-icegrid.txt
(on Windows you might need to add the --binary flag)

After applying and installing the patch there are two new Ice Properties named IceGrid.Registry.RequireNodeCertCN and IceGrid.Registry.RequireReplicaCertCN available. These default to 0 (so existing setups won't break). Setting them to 1 activates the respective feature, e.g.

IceGrid.Registry.RequireNodeCertCN=1
IceGrid.Registry.RequireReplicaCertCN=1

Obviously you have to make sure that all your nodes and registry replicas use a certificate that contains a matching CN (see the Ice Manual for details on how to accomplish this).

Please note that enabling this feature in the configuration effectively disables non-SSL connections between nodes and registries.

--
Michael

Comments