<html>
<head>
<base href="https://wiki.asterisk.org/wiki">
<link rel="stylesheet" href="/wiki/s/2041/1/7/_/styles/combined.css?spaceKey=TOP&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">Ice Support for SLL</a></h2>
<h4>Page <b>edited</b> by <a href="https://wiki.asterisk.org/wiki/display/~khunt">Ken Hunt</a>
</h4>
<br/>
<h4>Changes (2)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >#* Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number. <br>#* To provide only secure endpoints for an object adapter: {code}MyAdapter.Endpoints=ssl ‑p 4064{code} <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"># The IceSSL plugin also requires configuration data, which can be placed in the component's configuration file. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"># In addition to changes to our component's object adapter configuration, the IceSSL plugin also requires configuration data, which can be placed in the component's configuration file. <br></td></tr>
<tr><td class="diff-unchanged" > {code:title=IceSSL plugin configuration parameters} <br>Ice.Plugin.IceSSL=IceSSL:createIceSSL # Enable IceSSL plugin. This loads the plugin's DLL. <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h4><a name="IceSupportforSLL-Introduction"></a>Introduction</h4>
<p>This page provides information on support for <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer" class="external-link" rel="nofollow">Secure Sockets Layer (SSL)</a> in Ice. It is not intended as a replacement for ZeroC's own <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.html" class="external-link" rel="nofollow">Ice documentation related to SLL</a>, but rather a discussion / overview of relevant points as this functionality pertains to Asterisk SCF.</p>
<h4><a name="IceSupportforSLL-IceSSLPluginandConfiguration"></a>IceSSL Plugin and Configuration</h4>
<ol>
<li>Ice provides support for SSL via the IceSSL plugin. The IceSSL plugin is built on OpenSSL.</li>
<li>Integrating SSL will typically require no changes to source code, but rather to a component's configuration.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Defining multiple endpoints on an adapter</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
MyAdapter.Endpoints=tcp ‑p 4063:ssl ‑p 4064:udp ‑p 4063
]]></script>
</div></div>
<ul>
<li>Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number.</li>
<li>To provide only secure endpoints for an object adapter: <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[MyAdapter.Endpoints=ssl ‑p 4064]]></script>
</div></div></li>
</ul>
</li>
<li>In addition to changes to our component's object adapter configuration, the IceSSL plugin also requires configuration data, which can be placed in the component's configuration file.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>IceSSL plugin configuration parameters</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
Ice.Plugin.IceSSL=IceSSL:createIceSSL # Enable IceSSL plugin. This loads the plugin's DLL.
IceSSL.DefaultDir=/opt/certs # Identifies location of certificates
IceSSL.CertFile=pubkey.pem # Identifies filename within the DefaultDir specified above.
IceSSL.KeyFile=privkey.pem # " " "
IceSSL.CertAuthFile=ca.pem # " " "
IceSSL.Password=password # The password of the private key (if key files are encrypted).
# For DSA-generated keys, or using both RSA and DSA, refer to additional configuration parameters in the Ice docs.
# Same goes for using Anonymous Diffie-Hellman (ADH) cipher, where no keys are involved.
]]></script>
</div></div>
<ul>
<li>Storing passwords in a plain-text file (as shown above) is viable only if your server is in a highly secure environment.</li>
<li>Alternatives:
<ol>
<li>Use unsecured key file (again, only in a secure, controlled environment)</li>
<li>Application takes additional responsibility for managing authentication. Examples such as password callbacks and custom certificate verifier plugins <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.6.html" class="external-link" rel="nofollow">described here</a>.</li>
</ol>
</li>
</ul>
</li>
<li>Cyphersuites (particular combinations of encryption, authentication and hashing algorithm) that can be used during handshake negotiation with a peer can be configured for C++ and Java clients. This is useful, for example, if you wanted to eliminate relatively insecure ciphersuites, such as ADH.
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
IceSSL.Ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
]]></script>
</div></div>
<ul>
<li>For more information on configuring cyphersuites, read the <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.4.html" class="external-link" rel="nofollow">Ice documentation</a>.</li>
</ul>
</li>
<li>Ice can take additional steps to determine whether a peer should be trusted. The Ice.TrustOnly properties define a collection of acceptance and rejection filters.</li>
<li>Components written in C++ can interact directly with the IceSSL plugin. The most interesting operations available are:
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
class Plugin : public Ice:Plugin
{
plugin:
// ....
virtual void setCertificateVerifier(const CertificateVerifierPtr&) = 0;
virtual void setPasswordPrompt(const PasswordPromptPtr&) = 0;
// ...
]]></script>
</div></div>
<ul>
<li>The <tt>setCertificateVerifier</tt> allows a custom verifier object that gets invoked for each new connection.</li>
<li>The <tt>setPasswordPrompt</tt> provides a means for applications (i.e. Asterisk SCF components) to supply the IceSSL plugin with passwords as an alternate to plain-text in configuration files.</li>
</ul>
</li>
</ol>
<h4><a name="IceSupportforSLL-SecurityandProxies"></a>Security and Proxies</h4>
<ol>
<li>Based on the adapter configuration (such as the one shown in the sample code above labeled "Defining multiple endpoints on an adapter"), a proxy may contain a combination of secure and insecure endpoints.</li>
<li>Asterisk SCF heavily uses proxy-passing between components</li>
<li>A component that cares about secure communications can only insure that locally-created proxies are secure.
<ul>
<li>It can't assume that proxies passed over the wire are configured to use secure endpoints.</li>
<li>The component can call <tt>SomePrx->ice_secure(true); }} to insure only secure endpoints are used between the component and the remote servant located by {{SomePrx</tt>.</li>
<li>Setting this configuration property will result in the component using only secure endpoints for all proxies:
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[Ice.Override.Secure=1]]></script>
</div></div>
<ul>
<li>Attempting to establish a connection on a proxy that doesn't contain a secure endpoint results in <tt>NoEndpointException</tt>.</li>
</ul>
</li>
<li>If you want to allow non-secure endpoints, but give precedence to secure endpoints: <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[ Ice.Default.PreferSecure=1]]></script>
</div></div></li>
</ul>
</li>
</ol>
<h4><a name="IceSupportforSLL-Lowerleveldetails."></a>Lower-level details.</h4>
<ul>
<li>The IceSSL::ConnectionInfo record, used to provide the X509 certificate chains, is a slice-defined type. For convenience there is also a IceSSL::NativeConnectionInfo subclass that converts the sequence of strings used in ConnectionInfo into certificate objects. This is relevant to applications that need access to the certificates.</li>
</ul>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;">
<a href="https://wiki.asterisk.org/wiki/users/viewnotifications.action" class="grey">Change Notification Preferences</a>
</div>
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">View Online</a>
|
<a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=12550659&revisedVersion=8&originalVersion=7">View Changes</a>
|
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>