<html>
<head>
<base href="https://wiki.asterisk.org/wiki">
<link rel="stylesheet" href="/wiki/s/2041/1/7/_/styles/combined.css?spaceKey=TOP&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">Ice Support for SLL</a></h2>
<h4>Page <b>edited</b> by <a href="https://wiki.asterisk.org/wiki/display/~khunt">Ken Hunt</a>
</h4>
<br/>
<h4>Changes (1)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br>** Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">** To provide only secure endpoints for an object adapter: {code}MyAdapter.Endpoints=ssl ‑p 4064{code} <br></td></tr>
<tr><td class="diff-unchanged" >* The IceSSL plugin also requires configuration data, which can be placed in the component's configuration file. <br> {code:title=IceSSL plugin configuration parameters} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h4><a name="IceSupportforSLL-Introduction"></a>Introduction</h4>
<p>This page provides information on support for <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer" class="external-link" rel="nofollow">Secure Sockets Layer (SSL)</a> in Ice. It is not intended as a replacement for ZeroC's own <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.html" class="external-link" rel="nofollow">Ice documentation related to SLL</a>, but rather a discussion / overview of relevant points as this functionality pertains to Asterisk SCF.</p>
<h4><a name="IceSupportforSLL-IceSSLPluginandConfiguration"></a>IceSSL Plugin and Configuration</h4>
<ul>
        <li>Ice provides support for SSL via the IceSSL plugin. The IceSSL plugin is built on OpenSSL.</li>
        <li>Integrating SSL will typically require no changes to source code, but rather to a component's configuration.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Defining multiple endpoints on an adapter</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
MyAdapter.Endpoints=tcp ‑p 4063:ssl ‑p 4064:udp ‑p 4063
]]></script>
</div></div>
        <ul>
                <li>Note that UDP can use the same port number as TCP or SSL since it's a different protocol with its own set of ports. SSL is a layer over TCP, so SSL and TCP endpoints can't have the same port number.</li>
                <li>To provide only secure endpoints for an object adapter: <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[MyAdapter.Endpoints=ssl ‑p 4064]]></script>
</div></div></li>
        </ul>
        </li>
        <li>The IceSSL plugin also requires configuration data, which can be placed in the component's configuration file.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>IceSSL plugin configuration parameters</b></div><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
Ice.Plugin.IceSSL=IceSSL:createIceSSL # Enable IceSSL plugin. This loads the plugin's DLL.
IceSSL.DefaultDir=/opt/certs # Identifies location of certificates
IceSSL.CertFile=pubkey.pem # Identifies filename within the DefaultDir specified above.
IceSSL.KeyFile=privkey.pem # " " "
IceSSL.CertAuthFile=ca.pem # " " "
IceSSL.Password=password # The password of the private key (if key files are encrypted).
# For DSA-generated keys, or using both RSA and DSA, find additional details in the Ice docs.
# Same goes for using Anonymous Diffie-Hellman (ADH) cipher, where no keys are involved.
]]></script>
</div></div>
        <ul>
                <li>Storing passwords in a plain-text file (as shown above) is viable only if your server is in a highly secure environment.</li>
                <li>Alternatives:
                <ol>
                        <li>Use unsecured key file (again, only in a secure, controlled environment)</li>
                        <li>Application takes additional responsibility for managing authentication. Examples such as password callbacks and custom certificate verifier plugins <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.6.html" class="external-link" rel="nofollow">described here</a>.</li>
                </ol>
                </li>
        </ul>
        </li>
        <li>Cyphersuites (particular combinations of encryption, authentication and hashing algorithm) that can be used during handshake negotiation with a peer can be configured for C++ and Java clients. This is useful, for example, if you wanted to eliminate relatively insecure ciphersuites, such as ADH.
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[
IceSSL.Ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
]]></script>
</div></div>
        <ul>
                <li>For more information on configuring cyphersuites, read the <a href="http://www.zeroc.com/doc/Ice-3.4.1/manual/IceSSL.42.4.html" class="external-link" rel="nofollow">Ice documentation</a>.</li>
        </ul>
        </li>
        <li>Ice can take additional steps to determine whether a peer should be trusted. The Ice.TrustOnly properties define a collection of acceptance and rejection filters.</li>
</ul>
<h4><a name="IceSupportforSLL-SecurityandProxies"></a>Security and Proxies</h4>
<ul>
        <li>Based on the adapter configuration, a proxy may contain a combination of secure and insecure endpoints.</li>
        <li>Asterisk SCF heavily uses proxy-passing between components
        <ul>
                <li>A component that cares about secure communications can insure that locally-created proxies are secure</li>
                <li>It can't assume that proxies passed over the wire are secure.</li>
                <li>The component can call <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="toolbar: false; theme: Confluence; brush: java; gutter: false"><![CDATA[ SomePrx->ice_secure(true); ]]></script>
</div></div> to insure only secure endpoints are used to communicate with SomePrx.</li>
        </ul>
        </li>
</ul>
<h4><a name="IceSupportforSLL-Lowerleveldetails."></a>Lower-level details.</h4>
<ul>
        <li>The IceSSL::ConnectionInfo record, used to provide the X509 certificate chains, is a slice-defined type. For convenience there is also a IceSSL::NativeConnectionInfo subclass that converts the sequence of strings used in ConnectionInfo into certificate objects. This is relevant to applications that need access to the certificates.</li>
</ul>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;">
<a href="https://wiki.asterisk.org/wiki/users/viewnotifications.action" class="grey">Change Notification Preferences</a>
</div>
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL">View Online</a>
|
<a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=12550659&revisedVersion=3&originalVersion=2">View Changes</a>
|
<a href="https://wiki.asterisk.org/wiki/display/TOP/Ice+Support+for+SLL?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>