diff --git a/cpp/include/Ice/ClientAuthenticationOptions.h b/cpp/include/Ice/ClientAuthenticationOptions.h new file mode 100644 index 00000000000..e350828fec5 --- /dev/null +++ b/cpp/include/Ice/ClientAuthenticationOptions.h @@ -0,0 +1,72 @@ +// +// Copyright (c) ZeroC, Inc. All rights reserved. +// + +#ifndef ICE_CLIENT_AUTHENTICATION_OPTIONS_H +#define ICE_CLIENT_AUTHENTICATION_OPTIONS_H + +#include "SSLConnectionInfo.h" + +#include + +#ifdef _WIN32 +// We need to include windows.h before wincrypt.h. +// clang-format off +# ifndef NOMINMAX +# define NOMINMAX +# endif +# include +# include +// clang-format on +// SECURITY_WIN32 or SECURITY_KERNEL, must be defined before including security.h indicating who is compiling the code. +# ifdef SECURITY_WIN32 +# undef SECURITY_WIN32 +# endif +# ifdef SECURITY_KERNEL +# undef SECURITY_KERNEL +# endif +# define SECURITY_WIN32 1 +# include +# include +# include +# undef SECURITY_WIN32 +#endif + +namespace Ice::SSL +{ + /** + * The SSL configuration properties for client connections. + */ + struct ClientAuthenticationOptions + { +#if defined(_WIN32) + /** + * The credentials handler to configure SSL client connections on Windows. When set the SSL transport would + * ignore all the IceSSL configuration properties and use the provided credentials handle. + * + * [See Schannel + * Credentials](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials). + */ + CredHandle credentialsHandler; + + /** + * A callback that allows to manually validate the server certificate during SSL handshake on Windows. When the + * callback is not provided the server certificate will be validated using the platform default validation + * mechanism. + * + * @param context A security context is an opaque data structure that contains security data relevant to the + * current connection. + * @return true if the certificate is valid, false otherwise. + * + * [See Manually Validating Schannel + * Credentials](https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials). + */ + std::function + serverCertificateValidationCallback; +#elif defined(__APPLE__) +#else +#endif + }; +} + +#endif diff --git a/cpp/include/Ice/Communicator.h b/cpp/include/Ice/Communicator.h index 2d3af9cee13..e99603e9816 100644 --- a/cpp/include/Ice/Communicator.h +++ b/cpp/include/Ice/Communicator.h @@ -15,7 +15,7 @@ #include "Plugin.h" #include "Properties.h" #include "Proxy.h" -#include "SSL.h" +#include "ServerAuthenticationOptions.h" #ifdef ICE_SWIFT # include diff --git a/cpp/include/Ice/Ice.h b/cpp/include/Ice/Ice.h index 96fbdef3547..f677c6afa4b 100644 --- a/cpp/include/Ice/Ice.h +++ b/cpp/include/Ice/Ice.h @@ -20,6 +20,7 @@ // We don't need to see the following headers when building the generated code. # include "Certificate.h" +# include "ClientAuthenticationOptions.h" # include "Communicator.h" # include "Connection.h" # include "IconvStringConverter.h" @@ -38,6 +39,7 @@ # include "SSLConnectionInfo.h" # include "SSLEndpointInfo.h" # include "ServantLocator.h" +# include "ServerAuthenticationOptions.h" # include "SlicedData.h" # include "StringConverter.h" # include "UUID.h" diff --git a/cpp/include/Ice/Initialize.h b/cpp/include/Ice/Initialize.h index e39476a9b07..a093725680d 100644 --- a/cpp/include/Ice/Initialize.h +++ b/cpp/include/Ice/Initialize.h @@ -6,6 +6,7 @@ #define ICE_INITIALIZE_H #include "BatchRequest.h" +#include "ClientAuthenticationOptions.h" #include "CommunicatorF.h" #include "Connection.h" #include "Ice/BuiltinSequences.h" @@ -15,7 +16,6 @@ #include "Logger.h" #include "Plugin.h" #include "PropertiesF.h" -#include "SSL.h" #include "ValueFactory.h" namespace Ice diff --git a/cpp/include/Ice/SSL.h b/cpp/include/Ice/ServerAuthenticationOptions.h similarity index 60% rename from cpp/include/Ice/SSL.h rename to cpp/include/Ice/ServerAuthenticationOptions.h index 484ad10272c..499e290dd26 100644 --- a/cpp/include/Ice/SSL.h +++ b/cpp/include/Ice/ServerAuthenticationOptions.h @@ -2,8 +2,8 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICE_SSL_H -#define ICE_SSL_H +#ifndef ICE_SERVER_AUTHENTICATION_OPTIONS_H +#define ICE_SERVER_AUTHENTICATION_OPTIONS_H #include "SSLConnectionInfo.h" @@ -34,40 +34,6 @@ namespace Ice::SSL { - /** - * The SSL configuration properties for client connections. - */ - struct ClientAuthenticationOptions - { -#if defined(_WIN32) - /** - * The credentials handler to configure SSL client connections on Windows. When set the SSL transport would - * ignore all the IceSSL configuration properties and use the provided credentials handle. - * - * [See Schannel - * Credentials](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials). - */ - CredHandle credentialsHandler; - - /** - * A callback that allows to manually validate the server certificate during SSL handshake on Windows. When the - * callback is not provided the server certificate will be validated using the platform default validation - * mechanism. - * - * @param context A security context is an opaque data structure that contains security data relevant to the - * current connection. - * @return true if the certificate is valid, false otherwise. - * - * [See Manually Validating Schannel - * Credentials](https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials). - */ - std::function - serverCertificateValidationCallback; -#elif defined(__APPLE__) -#else -#endif - }; - /** * The SSL configuration properties for client connections. */ @@ -103,7 +69,6 @@ namespace Ice::SSL #else #endif }; - } #endif diff --git a/cpp/src/Ice/EndpointI.h b/cpp/src/Ice/EndpointI.h index 759643dfa19..95bd778f81c 100644 --- a/cpp/src/Ice/EndpointI.h +++ b/cpp/src/Ice/EndpointI.h @@ -10,7 +10,7 @@ #include "EndpointIF.h" #include "Ice/Endpoint.h" #include "Ice/EndpointSelectionType.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "TransceiverF.h" #include diff --git a/cpp/src/Ice/ObjectAdapterI.h b/cpp/src/Ice/ObjectAdapterI.h index 70035ecfa49..07453c8b6aa 100644 --- a/cpp/src/Ice/ObjectAdapterI.h +++ b/cpp/src/Ice/ObjectAdapterI.h @@ -15,7 +15,7 @@ #include "Ice/ObjectAdapter.h" #include "Ice/ObjectF.h" #include "Ice/Proxy.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "LocatorInfoF.h" #include "ObjectAdapterFactoryF.h" #include "RouterInfoF.h" diff --git a/cpp/src/Ice/OpaqueEndpointI.h b/cpp/src/Ice/OpaqueEndpointI.h index 35df896282a..ccf13d44fdc 100644 --- a/cpp/src/Ice/OpaqueEndpointI.h +++ b/cpp/src/Ice/OpaqueEndpointI.h @@ -7,7 +7,7 @@ #include "EndpointFactory.h" #include "EndpointI.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include diff --git a/cpp/src/Ice/TcpEndpointI.h b/cpp/src/Ice/TcpEndpointI.h index 0a90f286bb1..68a395956a7 100644 --- a/cpp/src/Ice/TcpEndpointI.h +++ b/cpp/src/Ice/TcpEndpointI.h @@ -8,6 +8,7 @@ #include "EndpointFactory.h" #include "IPEndpointI.h" #include "IceUtil/Config.h" +#include "Ice/ServerAuthenticationOptions.h" #include "Network.h" // for IceIternal::Address namespace IceInternal diff --git a/cpp/src/Ice/UdpEndpointI.h b/cpp/src/Ice/UdpEndpointI.h index 1b69ffab40d..333ffa5af7a 100644 --- a/cpp/src/Ice/UdpEndpointI.h +++ b/cpp/src/Ice/UdpEndpointI.h @@ -7,7 +7,7 @@ #include "EndpointFactory.h" #include "IPEndpointI.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "IceUtil/Config.h" #include "Network.h" diff --git a/cpp/src/Ice/WSEndpoint.h b/cpp/src/Ice/WSEndpoint.h index 7b3092d0af2..a250214f56c 100644 --- a/cpp/src/Ice/WSEndpoint.h +++ b/cpp/src/Ice/WSEndpoint.h @@ -10,7 +10,7 @@ #include "IPEndpointIF.h" #include "Ice/Endpoint.h" #include "Ice/InstanceF.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "ProtocolInstance.h" #include diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index b11fd5a5834..5162114e7b7 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -27,6 +27,10 @@ # define SP_PROT_TLS1_3 (SP_PROT_TLS1_3_SERVER | SP_PROT_TLS1_3_CLIENT) #endif +#ifndef SECURITY_FLAG_IGNORE_CERT_CN_INVALID +# define SECURITY_FLAG_IGNORE_CERT_CN_INVALID 0x00001000 +#endif + // // CALG_ECDH_EPHEM algorithm constant is not defined in older version of the SDK headers // @@ -1022,7 +1026,7 @@ SChannel::SSLEngine::destroy() } Ice::SSL::ClientAuthenticationOptions -SChannel::SSLEngine::createClientAuthenticationOptions() const +SChannel::SSLEngine::createClientAuthenticationOptions(const string& host) const { lock_guard lock(_mutex); if (_clientCredentials.dwLower == 0 && _clientCredentials.dwUpper == 0) @@ -1031,9 +1035,9 @@ SChannel::SSLEngine::createClientAuthenticationOptions() const } return Ice::SSL::ClientAuthenticationOptions{ .credentialsHandler = _clientCredentials, - .serverCertificateValidationCallback = - [self = shared_from_this()](CtxtHandle ssl, const ConnectionInfoPtr& info) -> bool - { return self->validationCallback(ssl, info, false); }}; + .serverCertificateValidationCallback = [self = shared_from_this(), + host](CtxtHandle ssl, const ConnectionInfoPtr& info) -> bool + { return self->validationCallback(ssl, info, false, host); }}; } Ice::SSL::ServerAuthenticationOptions @@ -1049,11 +1053,32 @@ SChannel::SSLEngine::createServerAuthenticationOptions() const .clientCertificateRequired = getVerifyPeer() > 0, .clientCertificateValidationCallback = [self = shared_from_this()](CtxtHandle ssl, const ConnectionInfoPtr& info) -> bool - { return self->validationCallback(ssl, info, true); }}; + { return self->validationCallback(ssl, info, true, ""); }}; +} + +namespace +{ + struct ScopedCertChainContext + { + ScopedCertChainContext(PCCERT_CHAIN_CONTEXT chain) : _chain(chain) {} + ~ScopedCertChainContext() { CertFreeCertificateChain(_chain); } + PCCERT_CHAIN_CONTEXT _chain; + }; + + struct ScopedCertContext + { + ScopedCertContext(PCCERT_CONTEXT cert) : _cert(cert) {} + ~ScopedCertContext() { CertFreeCertificateContext(_cert); } + PCCERT_CONTEXT _cert; + }; } bool -SChannel::SSLEngine::validationCallback(CtxtHandle ssl, const ConnectionInfoPtr& info, bool incoming) const +SChannel::SSLEngine::validationCallback( + CtxtHandle ssl, + const ConnectionInfoPtr& info, + bool incoming, + const string& host) const { // Build the peer certificate chain and verify it. PCCERT_CONTEXT cert = 0; @@ -1068,6 +1093,7 @@ SChannel::SSLEngine::validationCallback(CtxtHandle ssl, const ConnectionInfoPtr& if (cert) // Verify the remote certificate { + ScopedCertContext scopedCertContext(cert); CERT_CHAIN_PARA chainP; memset(&chainP, 0, sizeof(chainP)); chainP.cbSize = sizeof(chainP); @@ -1093,24 +1119,172 @@ SChannel::SSLEngine::validationCallback(CtxtHandle ssl, const ConnectionInfoPtr& { ostringstream os; os << "IceSSL: certificate verification failure:\n" << lastErrorToString(); - CertFreeCertificateContext(cert); throw SecurityException(__FILE__, __LINE__, os.str()); } + ScopedCertChainContext scopedChainContext(certChain); DWORD errorStatus = certChain->TrustStatus.dwErrorStatus; if (errorStatus != CERT_TRUST_NO_ERROR) { throw SecurityException(__FILE__, __LINE__, errorStatusToString(errorStatus)); } - CertFreeCertificateChain(certChain); - CertFreeCertificateContext(cert); - } - verifyPeerCertName(info); - verifyPeer(info); + SSL_EXTRA_CERT_CHAIN_POLICY_PARA extraPolicyPara; + memset(&extraPolicyPara, 0, sizeof(extraPolicyPara)); + extraPolicyPara.cbSize = sizeof(extraPolicyPara); + extraPolicyPara.dwAuthType = incoming ? AUTHTYPE_CLIENT : AUTHTYPE_SERVER; + // Disable because the policy only matches the CN of the certificate, not the SAN. + extraPolicyPara.fdwChecks = SECURITY_FLAG_IGNORE_CERT_CN_INVALID; + extraPolicyPara.pwszServerName = const_cast(IceUtil::stringToWstring(host).c_str()); + + CERT_CHAIN_POLICY_PARA policyPara; + memset(&policyPara, 0, sizeof(policyPara)); + policyPara.cbSize = sizeof(policyPara); + policyPara.pvExtraPolicyPara = &extraPolicyPara; + + CERT_CHAIN_POLICY_STATUS policyStatus; + memset(&policyStatus, 0, sizeof(policyStatus)); + policyStatus.cbSize = sizeof(policyStatus); + + if (!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, certChain, &policyPara, &policyStatus)) + { + ostringstream os; + os << "IceSSL: certificate verification failure:\n" << lastErrorToString(); + throw SecurityException(__FILE__, __LINE__, os.str()); + } + + if (policyStatus.dwError) + { + ostringstream os; + os << "IceSSL: certificate verification failure:\n" << policyStatusToString(policyStatus.dwError); + throw SecurityException(__FILE__, __LINE__, os.str()); + } + + if (!incoming) + { + verifyPeerCertName(info, host); + } + verifyPeer(info); + } return true; } +string +SChannel::SSLEngine::policyStatusToString(DWORD policyStatus) const +{ + assert(policyStatus); + ostringstream os; + switch (policyStatus) + { + case TRUST_E_CERT_SIGNATURE: + { + os << "The signature of the certificate cannot be verified."; + break; + } + case CRYPT_E_REVOKED: + { + os << "The certificate or signature has been revoked."; + break; + } + case CERT_E_UNTRUSTEDROOT: + { + os << "A certification chain processed correctly but terminated in a root certificate that is not " + "trusted by " + "the trust provider."; + break; + } + case CERT_E_UNTRUSTEDTESTROOT: + { + os << "The root certificate is a testing certificate, and policy settings disallow test certificates."; + break; + } + case CERT_E_CHAINING: + { + os << "A chain of certificates was not correctly created."; + break; + } + case CERT_E_WRONG_USAGE: + { + os << "The certificate is not valid for the requested usage."; + break; + } + case CERT_E_EXPIRED: + { + os << "A required certificate is not within its validity period."; + break; + } + case CERT_E_INVALID_NAME: + { + os << "The certificate has an invalid name. Either the name is not included in the permitted list, or " + "it is " + "explicitly excluded."; + break; + } + case CERT_E_INVALID_POLICY: + { + os << "The certificate has invalid policy."; + break; + } + case TRUST_E_BASIC_CONSTRAINTS: + { + os << "The basic constraints of the certificate are not valid, or they are missing."; + break; + } + case CERT_E_CRITICAL: + { + os << "The certificate is being used for a purpose other than the purpose specified by its CA."; + break; + } + case CERT_E_VALIDITYPERIODNESTING: + { + os << "The validity periods of the certification chain do not nest correctly."; + break; + } + case CRYPT_E_NO_REVOCATION_CHECK: + { + os << "The revocation function was unable to check revocation for the certificate."; + break; + } + case CRYPT_E_REVOCATION_OFFLINE: + { + os << "The revocation function was unable to check revocation because the revocation server was " + "offline."; + break; + } + case CERT_E_CN_NO_MATCH: + { + os << "The certificate's CN name does not match the passed value."; + break; + } + case CERT_E_PURPOSE: + { + os << "The certificate is being used for a purpose other than the purpose specified by its CA."; + break; + } + case CERT_E_REVOKED: + { + os << "The certificate has been explicitly revoked by the issuer."; + break; + } + case CERT_E_REVOCATION_FAILURE: + { + os << "The revocation process could not continue, and the certificate could not be checked."; + break; + } + case CERT_E_ROLE: + { + os << "The certificate does not have a valid role."; + break; + } + default: + { + os << "Unknown policy status: " << policyStatus; + break; + } + } + return os.str(); +} + string SChannel::SSLEngine::errorStatusToString(DWORD errorStatus) const { diff --git a/cpp/src/IceSSL/SChannelEngine.h b/cpp/src/IceSSL/SChannelEngine.h index baffe319455..16bf6af1c0a 100644 --- a/cpp/src/IceSSL/SChannelEngine.h +++ b/cpp/src/IceSSL/SChannelEngine.h @@ -7,9 +7,10 @@ #ifdef _WIN32 +# include "Ice/ClientAuthenticationOptions.h" # include "Ice/InstanceF.h" -# include "Ice/SSL.h" # include "Ice/SSLConnectionInfo.h" +# include "Ice/ServerAuthenticationOptions.h" # include "SChannelEngineF.h" # include "SSLEngine.h" @@ -36,12 +37,13 @@ namespace IceSSL::SChannel std::string getCipherName(ALG_ID) const; - Ice::SSL::ClientAuthenticationOptions createClientAuthenticationOptions() const; + Ice::SSL::ClientAuthenticationOptions createClientAuthenticationOptions(const std::string&) const; Ice::SSL::ServerAuthenticationOptions createServerAuthenticationOptions() const; private: - bool validationCallback(CtxtHandle ssl, const IceSSL::ConnectionInfoPtr&, bool incoming) const; + bool validationCallback(CtxtHandle, const IceSSL::ConnectionInfoPtr&, bool, const std::string&) const; std::string errorStatusToString(DWORD errorStatus) const; + std::string policyStatusToString(DWORD policyStatus) const; CredHandle newCredentialsHandle(bool) const; std::vector _allCerts; diff --git a/cpp/src/IceSSL/SSLAcceptorI.h b/cpp/src/IceSSL/SSLAcceptorI.h index 6da4f73f2ee..c8ffc70aab8 100644 --- a/cpp/src/IceSSL/SSLAcceptorI.h +++ b/cpp/src/IceSSL/SSLAcceptorI.h @@ -8,7 +8,7 @@ #include "../Ice/Acceptor.h" #include "../Ice/Network.h" #include "../Ice/TransceiverF.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "SSLInstanceF.h" #include diff --git a/cpp/src/IceSSL/SSLConnectorI.cpp b/cpp/src/IceSSL/SSLConnectorI.cpp index 418ea5c1d7f..81464d73cdb 100644 --- a/cpp/src/IceSSL/SSLConnectorI.cpp +++ b/cpp/src/IceSSL/SSLConnectorI.cpp @@ -7,10 +7,10 @@ #include "../Ice/NetworkProxy.h" #include "../Ice/StreamSocket.h" +#include "Ice/ClientAuthenticationOptions.h" #include "Ice/Communicator.h" #include "Ice/LocalException.h" #include "Ice/LoggerUtil.h" -#include "Ice/SSL.h" #include "SChannelEngine.h" #include "SChannelTransceiverI.h" #include "SSLEndpointI.h" @@ -30,7 +30,7 @@ IceSSL::ConnectorI::connect() if (!clientAuthenticationOptions) { clientAuthenticationOptions = - dynamic_pointer_cast(_instance->engine())->createClientAuthenticationOptions(); + dynamic_pointer_cast(_instance->engine())->createClientAuthenticationOptions(_host); } assert(clientAuthenticationOptions); return make_shared(_instance, _delegate->connect(), _host, *clientAuthenticationOptions); diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp index e6ca280c10a..97d8d0d65a1 100644 --- a/cpp/src/IceSSL/SSLEngine.cpp +++ b/cpp/src/IceSSL/SSLEngine.cpp @@ -76,9 +76,8 @@ IceSSL::SSLEngine::initialize() } void -IceSSL::SSLEngine::verifyPeerCertName(const ConnectionInfoPtr& info) const +IceSSL::SSLEngine::verifyPeerCertName(const ConnectionInfoPtr& info, const string& address) const { - string address = info->host; // For an outgoing connection, we compare the proxy address (if any) against fields in the server's certificate // (if any). if (_checkCertName && !info->certs.empty() && !address.empty()) diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h index 62cb571d318..1ea17c92897 100644 --- a/cpp/src/IceSSL/SSLEngine.h +++ b/cpp/src/IceSSL/SSLEngine.h @@ -39,7 +39,7 @@ namespace IceSSL // Verify peer certificate. virtual void verifyPeer(const ConnectionInfoPtr&) const; - void verifyPeerCertName(const ConnectionInfoPtr&) const; + void verifyPeerCertName(const ConnectionInfoPtr&, const std::string&) const; bool getCheckCertName() const; bool getServerNameIndication() const; diff --git a/cpp/test/Ice/background/EndpointI.h b/cpp/test/Ice/background/EndpointI.h index 473ffb9d034..573d3f21172 100644 --- a/cpp/test/Ice/background/EndpointI.h +++ b/cpp/test/Ice/background/EndpointI.h @@ -7,7 +7,7 @@ #include "Configuration.h" #include "Ice/EndpointI.h" -#include "Ice/SSL.h" +#include "Ice/ServerAuthenticationOptions.h" #include "Test.h" class EndpointI; diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index ff433e8707a..091bfb8a807 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -760,6 +760,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // Verify that IceSSL.CheckCertName has no effect in a server. // initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); + initData.properties->setProperty("IceSSL.CheckCertName", "0"); comm = initialize(initData); fact = Test::ServerFactoryPrx(comm, factoryRef); test(fact); @@ -853,7 +854,6 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); initData.properties->setProperty("IceSSL.CheckCertName", "1"); - initData.properties->setProperty("IceSSL.VerifyPeer", "0"); comm = initialize(initData); fact = Test::ServerFactoryPrx(comm, factoryRef); @@ -861,8 +861,14 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(props, p12, "s_rsa_ca1_cn4", "cacert1"); server = fact->createServer(d); - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "localhost"); + try + { + server->ice_ping(); + test(false); + } + catch (const Ice::SecurityException&) + { + } fact->destroyServer(server); comm->destroy(); @@ -873,7 +879,6 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); initData.properties->setProperty("IceSSL.CheckCertName", "1"); - initData.properties->setProperty("IceSSL.VerifyPeer", "0"); comm = initialize(initData); fact = Test::ServerFactoryPrx(comm, factoryRef); @@ -881,8 +886,14 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(props, p12, "s_rsa_ca1_cn5", "cacert1"); server = fact->createServer(d); - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "localhost"); + try + { + server->ice_ping(); + test(false); + } + catch (const Ice::SecurityException&) + { + } fact->destroyServer(server); comm->destroy(); @@ -915,7 +926,6 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); initData.properties->setProperty("IceSSL.CheckCertName", "1"); - initData.properties->setProperty("IceSSL.VerifyPeer", "0"); comm = initialize(initData); fact = Test::ServerFactoryPrx(comm, factoryRef); @@ -923,8 +933,14 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn7", "cacert1"); server = fact->createServer(d); - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "127.0.0.1"); + try + { + server->ice_ping(); + test(false); + } + catch (const Ice::SecurityException&) + { + } fact->destroyServer(server); comm->destroy(); @@ -939,7 +955,6 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); initData.properties->setProperty("IceSSL.CheckCertName", "1"); - initData.properties->setProperty("IceSSL.VerifyPeer", "0"); comm = initialize(initData); fact = Test::ServerFactoryPrx(comm, factoryRef); @@ -947,8 +962,20 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn8", "cacert1"); server = fact->createServer(d); +#if defined(ICE_USE_SECURE_TRANSPORT) info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); test(info->host == "127.0.0.1"); +#else + try + { + server->ice_ping(); + test(false); + } + catch (const Ice::SecurityException&) + { + } +#endif + fact->destroyServer(server); comm->destroy(); }