From Daniel.Kruegler at bruker.com Mon Sep 13 12:18:25 2021 From: Daniel.Kruegler at bruker.com (Kruegler, Daniel) Date: Mon, 13 Sep 2021 10:18:25 +0000 Subject: [jacorb-developer] Configuring Jacorb to use SSL when possible Message-ID: Hello, We are using CORBA (without SSL) since nearly two decades and plan to migrate to use CORBA SSL. The problem is: We need to do this migration in a defensive way because we cannot *require* both client and server to support SSL. During our attempts to realize this we were successful to configure our server to accept both incoming SSL and non-SSL requests from clients using the following *server* configuration: jacorb.security.support_ssl=on OASSLPort=684 jacorb.ssl.socket_factory=org.jacorb.security.ssl.sun_jsse.SSLSocketFactory jacorb.ssl.server_socket_factory=org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory jacorb.security.ssl.client.supported_options=20 jacorb.security.ssl.client.required_options=0 jacorb.security.ssl.server.supported_options=20 jacorb.security.ssl.server.required_options=0 jacorb.security.ssl.corbaloc_ssliop.supported_options=1 jacorb.security.ssl.corbaloc_ssliop.required_options=0 jacorb.security.keystore=some-valid-path jacorb.security.keystore_password=some-valid-passwd jacorb.security.jsse.trustees_from_ks=on jacorb.security.ssl.always_open_unsecured_address=true But this is the configuration of a new server that potentially can understand SSL. We also need to support the case that a *new* client that potentially can form a CORBA-SSL connection, but where the server is still an old one where SSL is not enabled. Of course, such a connection could not expect to be an actual SSL connection, but that is OK: It would be fine if we get the previous insecure connection in this case. The question is: How should I configure my *new* client so that it can realize an SSL connection with new servers but a still successful (non-secure) connection with old servers without two connection attempts? Is this somehow possible? I tried the following *client* configuration: properties.put("jacorb.security.support_ssl", "on"); properties.put("OASSLPort", "684"); properties.put("jacorb.security.ssl.client.supported_options", "20"); properties.put("jacorb.security.ssl.corbaloc_ssliop.supported_options", "20"); properties.put("jacorb.security.ssl.corbaloc_ssliop.required_options", "1"); properties.put("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory"); properties.put("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory"); properties.put("jacorb.security.keystore", mykeyStore); properties.put("jacorb.security.keystore_password", mykeyStorePasswd); properties.put("jacorb.security.jsse.trustees_from_ks", "on"); properties.put("jacorb.security.ssl.always_open_unsecured_address", "true"); and used the "corbaloc:ssliop:1.2@:684/NameService" when connecting to the NameService, where denotes the actual server address. But this approach doesn't seem to work unless I *also* activated SSL on the server as shown above. I would appreciate if someone could shed some light on how (or whether) it is possible to configure the client configuration such that it works *also* with a server that has no SSL activated (in this case effectively falling back to a non-SSL connection). If that is not possible, what is the recommended workaround? Thanks for your help, * Daniel Kr?gler - confidential -