<html>
<head>
<base href="https://wiki.asterisk.org/wiki">
<link rel="stylesheet" href="/wiki/s/2041/1/7/_/styles/combined.css?spaceKey=TOP&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">Ice Support for SLL</a></h2>
<h4>Page <b>edited</b> by <a href="https://wiki.asterisk.org/wiki/display/~khunt">Ken Hunt</a>
</h4>
<br/>
<h4>Changes (12)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >h4. IceSSL Plugin and Configuration <br> <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">*</span> <span class="diff-added-words"style="background-color: #dfd;">#</span> Ice provides support for SSL via the IceSSL plugin. The IceSSL plugin is built on OpenSSL. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">*</span> <span class="diff-added-words"style="background-color: #dfd;">#</span> Integrating SSL will typically require no changes to source code, but rather to a component's configuration. <br></td></tr>
<tr><td class="diff-unchanged" >{code:title=Defining multiple endpoints on an adapter} <br>MyAdapter.Endpoints=tcp ‑p 4063:ssl ‑p 4064:udp ‑p 4063 <br>{code} <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**</span> <span class="diff-added-words"style="background-color: #dfd;">#*</span> Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**</span> <span class="diff-added-words"style="background-color: #dfd;">#*</span> To provide only secure endpoints for an object adapter: {code}MyAdapter.Endpoints=ssl ‑p 4064{code} <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">*</span> <span class="diff-added-words"style="background-color: #dfd;">#</span> The IceSSL plugin also requires configuration data, which can be placed in the component's configuration file. <br></td></tr>
<tr><td class="diff-unchanged" > {code:title=IceSSL plugin configuration parameters} <br>Ice.Plugin.IceSSL=IceSSL:createIceSSL # Enable IceSSL plugin. This loads the plugin's DLL. <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" ># Same goes for using Anonymous Diffie-Hellman (ADH) cipher, where no keys are involved. <br>{code} <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**</span> <span class="diff-added-words"style="background-color: #dfd;">#*</span> Storing passwords in a plain-text file (as shown above) is viable only if your server is in a highly secure environment. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**</span> <span class="diff-added-words"style="background-color: #dfd;">#*</span> Alternatives: <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**#</span> <span class="diff-added-words"style="background-color: #dfd;">#*#</span> Use unsecured key file (again, only in a secure, controlled environment) <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**#</span> <span class="diff-added-words"style="background-color: #dfd;">#*#</span> Application takes additional responsibility for managing authentication. Examples such as password callbacks and custom certificate verifier plugins [described here|http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.6.html]. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">*</span> <span class="diff-added-words"style="background-color: #dfd;">#</span> Cyphersuites (particular combinations of encryption, authentication and hashing algorithm) that can be used during handshake negotiation with a peer can be configured for C++ and Java clients. This is useful, for example, if you wanted to eliminate relatively insecure ciphersuites, such as ADH. <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br>IceSSL.Ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH <br>{code} <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">**</span> <span class="diff-added-words"style="background-color: #dfd;">#*</span> For more information on configuring cyphersuites, read the [Ice documentation|http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.4.html]. <br></td></tr>
<tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">*</span> <span class="diff-added-words"style="background-color: #dfd;">#</span> Ice can take additional steps to determine whether a peer should be trusted. The Ice.TrustOnly properties define a collection of acceptance and rejection filters. <br></td></tr>
<tr><td class="diff-unchanged" > <br>h4. Security and Proxies <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h4><a name="IceSupportforSLL-Introduction"></a>Introduction</h4>
<p>This page provides information on support for <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer" class="external-link" rel="nofollow">Secure Sockets Layer (SSL)</a> in Ice. It is not intended as a replacement for ZeroC's own <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.html" class="external-link" rel="nofollow">Ice documentation related to SLL</a>, but rather a discussion / overview of relevant points as this functionality pertains to Asterisk SCF.</p>
<h4><a name="IceSupportforSLL-IceSSLPluginandConfiguration"></a>IceSSL Plugin and Configuration</h4>
<ol>
        <li>Ice provides support for SSL via the IceSSL plugin. The IceSSL plugin is built on OpenSSL.</li>
        <li>Integrating SSL will typically require no changes to source code, but rather to a component's configuration.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Defining multiple endpoints on an adapter</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
MyAdapter.Endpoints=tcp ‑p 4063:ssl ‑p 4064:udp ‑p 4063
]]></script>
</div></div>
        <ul>
                <li>Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number.</li>
                <li>To provide only secure endpoints for an object adapter: <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[MyAdapter.Endpoints=ssl ‑p 4064]]></script>
</div></div></li>
        </ul>
        </li>
        <li>The IceSSL plugin also requires configuration data, which can be placed in the component's configuration file.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>IceSSL plugin configuration parameters</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
Ice.Plugin.IceSSL=IceSSL:createIceSSL # Enable IceSSL plugin. This loads the plugin's DLL.
IceSSL.DefaultDir=/opt/certs # Identifies location of certificates
IceSSL.CertFile=pubkey.pem # Identifies filename within the DefaultDir specified above.
IceSSL.KeyFile=privkey.pem # " " "
IceSSL.CertAuthFile=ca.pem # " " "
IceSSL.Password=password # The password of the private key (if key files are encrypted).
# For DSA-generated keys, or using both RSA and DSA, refer to additional configuration parameters in the Ice docs.
# Same goes for using Anonymous Diffie-Hellman (ADH) cipher, where no keys are involved.
]]></script>
</div></div>
        <ul>
                <li>Storing passwords in a plain-text file (as shown above) is viable only if your server is in a highly secure environment.</li>
                <li>Alternatives:
                <ol>
                        <li>Use unsecured key file (again, only in a secure, controlled environment)</li>
                        <li>Application takes additional responsibility for managing authentication. Examples such as password callbacks and custom certificate verifier plugins <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.6.html" class="external-link" rel="nofollow">described here</a>.</li>
                </ol>
                </li>
        </ul>
        </li>
        <li>Cyphersuites (particular combinations of encryption, authentication and hashing algorithm) that can be used during handshake negotiation with a peer can be configured for C++ and Java clients. This is useful, for example, if you wanted to eliminate relatively insecure ciphersuites, such as ADH.
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
IceSSL.Ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
]]></script>
</div></div>
        <ul>
                <li>For more information on configuring cyphersuites, read the <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.4.html" class="external-link" rel="nofollow">Ice documentation</a>.</li>
        </ul>
        </li>
        <li>Ice can take additional steps to determine whether a peer should be trusted. The Ice.TrustOnly properties define a collection of acceptance and rejection filters.</li>
</ol>
<h4><a name="IceSupportforSLL-SecurityandProxies"></a>Security and Proxies</h4>
<ul>
        <li>Based on the adapter configuration (such as the one shown in the sample code above labeled "Defining multiple endpoints on an adapter"), a proxy may contain a combination of secure and insecure endpoints.</li>
        <li>Asterisk SCF heavily uses proxy-passing between components
        <ul>
                <li>A component that cares about secure communications can only insure that locally-created proxies are secure.</li>
                <li>It can't assume that proxies passed over the wire are configured to use secure endpoints.</li>
                <li>The component can call <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[ SomePrx->ice_secure(true); ]]></script>
</div></div> to insure only secure endpoints are used between the component and the remote servant located by SomePrx.</li>
        </ul>
        </li>
</ul>
<h4><a name="IceSupportforSLL-Lowerleveldetails."></a>Lower-level details.</h4>
<ul>
        <li>The IceSSL::ConnectionInfo record, used to provide the X509 certificate chains, is a slice-defined type. For convenience there is also a IceSSL::NativeConnectionInfo subclass that converts the sequence of strings used in ConnectionInfo into certificate objects. This is relevant to applications that need access to the certificates.</li>
</ul>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;">
<a href="https://wiki.asterisk.org/wiki/users/viewnotifications.action" class="grey">Change Notification Preferences</a>
</div>
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">View Online</a>
|
<a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=12550659&revisedVersion=6&originalVersion=5">View Changes</a>
|
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>