Archived

This forum has been archived. Please start a new discussion on GitHub.

IceSSL with Python Server and Java Client

Hi,

I have some difficulties in understanding how I could setup IceSSL to make my server-client communications properly secured. I currently have a working simple ice python server, and java client :

• What are the different steps to properly secure the connection ? And where : in the source code or configuration files ?
• Will this process enable me to refuse connections from undesired clients ?
• If my IceSSL is properly working, should I be able to see TLS protocol on WireShark ?

NB : I did read the documentation several times, but I still struggle, any help is appreciated

Thanks in advance!

Comments

  • xdm
    xdm La Coruña, Spain
    edited April 2022

    • What are the different steps to properly secure the connection ? And where : in the source code or configuration files ?

    If you want to ensure all communications are secure, you should configure the server to only accept secure connections, this means that your server should only contain SSL endpoints.

    MyAdapter.Endpoints=ssl -h 127.0.0.1 -p 12011
    

    Then you should configure the server certificate and other relevant IceSSL settings, the hello demo includes a minimal SSL configuration see https://github.com/zeroc-ice/ice-demos/blob/f362b7f0115134659e092a35b1eec7d503b234a9/java/Ice/hello/config.server#L54

    There is detailed info about each property in the manual https://doc.zeroc.com/ice/3.7/property-reference/icessl

    • Will this process enable me to refuse connections from undesired clients ?

    See IceSSL.VerifyPeer this property allow to configure a server to require a client certificate and clients without a valid certificate will be rejected, if the standard validation isn't enough you can install a custom certificate verifier to check the certificates.

    • If my IceSSL is properly working, should I be able to see TLS protocol on WireShark ?

    Yes you should be able to see the TLS handshake and all communications will use TLS protocol, you can also enable network and security tracing with Ice to get details about the connection.

    https://doc.zeroc.com/ice/3.7/property-reference/icessl#id-.IceSSL.v3.7-IceSSL.Trace.Security
    https://doc.zeroc.com/ice/3.7/property-reference/ice-trace#id-.Ice.Trace.
    v3.7-Ice.Trace.Network

  • Thanks for your quick reply!

    The Python server no longer accepts my usual client connection, so I assume the SSL settings are working properly.
    Here is my config.server : Ice.Plugin.IceSSL=IceSSL:createIceSSL; ServerAdapter.Endpoints=ssl -h localhost -p 10000

    But regarding the Java client, is there any section or post that explain the process to configure a Java client to connect only through SSL ? Especially with jks files and so on, I can't seem to understand with the documentation nor the github examples

  • xdm
    xdm La Coruña, Spain

    Here is my config.server

    Did you also set the server certificate? SSL servers need to configure a certificate, check the python hello server config for an example https://github.com/zeroc-ice/ice-demos/blob/3.7/python/Ice/hello/config.server#L57

    But regarding the Java client,

    https://doc.zeroc.com/ice/3.7/ice-plugins/icessl/configuring-icessl/configuring-icessl-for-java

    The Java client needs to use the ssl endpoint, it also needs to set the IceSSL.Truststore and IceSSL.TruststorePassword properties, and if you configured the server to require a client certificate it must set IceSSL.KeyStore and IceSSL.KeyStorePassword. The meaning of this properties is documented in the manual.

  • Did you also set the server certificate?

    Ah, I indeed didn't set any certificate for the server. Generating one through OpenSSL should be okay ?

    it also needs to set the IceSSL.Truststore and IceSSL.TruststorePassword properties

    If I propeerly understood the documentation and the examples, the KeyStore needs a .jks file. So I basically need to get my server's certificate in a .jks format ? I'm quite new to all of this, sorry if I misunderstood something

    Thanks again

  • xdm
    xdm La Coruña, Spain

    Generating one through OpenSSL should be okay ?

    Yes that should work

    . So I basically need to get my server's certificate in a .jks format ?

    The client trust store should contain the certificate of the CA that signed the server certificate, so it can verify that the server certificate is valid and trusted. Trusted here meaning it was signed by this CA you choose to trust.

  • Thanks for all your answers, I'm giving it a try and will let you know if it worked

  • I'm facing an exception that I don't seem to understand its source
    com.zeroc.Ice.SecurityException reason = "IceSSL: IceSSL: error during read" and later a Java exception Received fatal alert: certificate_required


    I made a self signed certificate and got 4 files, server.crt server.csr server.key and server.pem. On my server configuration I did put this
    IceSSL.DefaultDir=./certs IceSSL.CAs=server.crt IceSSL.CertFile=server.pem
    I then put the server.crt file in a keys.jks file and put the keys.jks file on my Java client configuration. Then here is my question : what did I do wrong ?

    Thanks!

  • Ok I finally managed to make it working, I only need to adjust the IceSSL.VerifyPeer and associated settings, and it should be done
    Thanks for your help!