[jacorb-developer] SSL with TCP fallback possible?

Kruegler, Daniel Daniel.Kruegler at bruker.com
Fri Sep 18 13:41:55 CEST 2020 

Hi,



I'm new to this mailing list, so please be patient with me if I'm making same beginner's errors 😉



I would like to ask for some guidance regarding CORBA connections that are intended to use SSL, but should fallback to the normal TCP protocol, if that the other side has not SSL activated. I'm a bit familiar with other ORB vendors such as OmniORB, where it is possible to have a configuration file that instructs the ORB to try protocols in a prioritized list when building up a connection (Seee for example http://omniorb.sourceforge.net/omni42/omniORB/omniORB006.html section "6.7.1  Client transport rules" at the end). This allows for example quite easily to use ssl first, but fall back to tcp when the other side doesn't support ssl.



Could someone help me trying to understand how to realize something similar with JacORB properties? I found so far a bund of properties related to activate SSL, but didn't find a way to realize a configuration that has the effects of such a prioritized protocol list. A collegue of mine has tried some initial steps to setup a CORBA SSL connection by adding the following sort of properties to the existing ones



                                                                                properties.put("jacorb.security.support_ssl", "on");

                                                                                properties.put("jacorb.security.ssl.client.supported_options", "60");

                                                                                properties.put("jacorb.security.ssl.client.required_options", "60");

                                                                                properties.put("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory");

                                                                                properties.put("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory");

                                                                                properties.put("jacorb.security.keystore", "some-path-on-the keystore");

                                                                                properties.put("jacorb.security.keystore_password", "some-password");

                                                                                properties.put("jacorb.security.jsse.trustees_from_ks", "on");

                                                                                properties.put("jacorb.security.jsse.log.verbosity", "4");



and he replaced "corbaloc:iiop" by "corbaloc:ssliop" when creating the connection URL. But this seems to have the effect that if the other side does not have SSL activated, then there is no connection possible at all. But we cannot assume that both connection sides have SSL activated. We would like to reach the effect that *if* both parties support SSL, they should connect via SSL, otherwise they should communicate via standard TCP, preferably just via a appropriate JacORB configuration and hopefully with out a need to try the two connection attempts programmatically.



Is this somehow possible? If so, could you please give us a advise, how to reach that effect?



Feedback would be very much appreciated!



Thanks,



- Daniel

More information about the jacorb-developer mailing list