Archived
IceSSL with Python Server and Java Client
Hi,
I have some difficulties in understanding how I could setup IceSSL to make my server-client communications properly secured. I currently have a working simple ice python server, and java client :
• What are the different steps to properly secure the connection ? And where : in the source code or configuration files ?
• Will this process enable me to refuse connections from undesired clients ?
• If my IceSSL is properly working, should I be able to see TLS protocol on WireShark ?
NB : I did read the documentation several times, but I still struggle, any help is appreciated
Thanks in advance!
Comments
-
• What are the different steps to properly secure the connection ? And where : in the source code or configuration files ?
If you want to ensure all communications are secure, you should configure the server to only accept secure connections, this means that your server should only contain SSL endpoints.
MyAdapter.Endpoints=ssl -h 127.0.0.1 -p 12011
Then you should configure the server certificate and other relevant IceSSL settings, the hello demo includes a minimal SSL configuration see https://github.com/zeroc-ice/ice-demos/blob/f362b7f0115134659e092a35b1eec7d503b234a9/java/Ice/hello/config.server#L54
There is detailed info about each property in the manual https://doc.zeroc.com/ice/3.7/property-reference/icessl
• Will this process enable me to refuse connections from undesired clients ?
See IceSSL.VerifyPeer this property allow to configure a server to require a client certificate and clients without a valid certificate will be rejected, if the standard validation isn't enough you can install a custom certificate verifier to check the certificates.
• If my IceSSL is properly working, should I be able to see TLS protocol on WireShark ?
Yes you should be able to see the TLS handshake and all communications will use TLS protocol, you can also enable network and security tracing with Ice to get details about the connection.
https://doc.zeroc.com/ice/3.7/property-reference/icessl#id-.IceSSL.v3.7-IceSSL.Trace.Security
https://doc.zeroc.com/ice/3.7/property-reference/ice-trace#id-.Ice.Trace.v3.7-Ice.Trace.Network0 -
Thanks for your quick reply!
The Python server no longer accepts my usual client connection, so I assume the SSL settings are working properly.
Here is my config.server :Ice.Plugin.IceSSL=IceSSL:createIceSSL; ServerAdapter.Endpoints=ssl -h localhost -p 10000
But regarding the Java client, is there any section or post that explain the process to configure a Java client to connect only through SSL ? Especially with jks files and so on, I can't seem to understand with the documentation nor the github examples
0 -
Here is my config.server
Did you also set the server certificate? SSL servers need to configure a certificate, check the python hello server config for an example https://github.com/zeroc-ice/ice-demos/blob/3.7/python/Ice/hello/config.server#L57
But regarding the Java client,
https://doc.zeroc.com/ice/3.7/ice-plugins/icessl/configuring-icessl/configuring-icessl-for-java
The Java client needs to use the ssl endpoint, it also needs to set the IceSSL.Truststore and IceSSL.TruststorePassword properties, and if you configured the server to require a client certificate it must set IceSSL.KeyStore and IceSSL.KeyStorePassword. The meaning of this properties is documented in the manual.
0 -
Did you also set the server certificate?
Ah, I indeed didn't set any certificate for the server. Generating one through OpenSSL should be okay ?
it also needs to set the IceSSL.Truststore and IceSSL.TruststorePassword properties
If I propeerly understood the documentation and the examples, the KeyStore needs a .jks file. So I basically need to get my server's certificate in a .jks format ? I'm quite new to all of this, sorry if I misunderstood something
Thanks again
0 -
Generating one through OpenSSL should be okay ?
Yes that should work
. So I basically need to get my server's certificate in a .jks format ?
The client trust store should contain the certificate of the CA that signed the server certificate, so it can verify that the server certificate is valid and trusted. Trusted here meaning it was signed by this CA you choose to trust.
0 -
Thanks for all your answers, I'm giving it a try and will let you know if it worked
1 -
I'm facing an exception that I don't seem to understand its source
com.zeroc.Ice.SecurityException reason = "IceSSL: IceSSL: error during read"
and later a Java exceptionReceived fatal alert: certificate_required
I made a self signed certificate and got 4 files, server.crt server.csr server.key and server.pem. On my server configuration I did put thisIceSSL.DefaultDir=./certs IceSSL.CAs=server.crt IceSSL.CertFile=server.pem
I then put the server.crt file in a keys.jks file and put the keys.jks file on my Java client configuration. Then here is my question : what did I do wrong ?Thanks!
0 -
Ok I finally managed to make it working, I only need to adjust the IceSSL.VerifyPeer and associated settings, and it should be done
Thanks for your help!0