Ice 2.1 client Ice 3.1 server

[Powell Trusler]

Hello all,
I have the situation where I have a client that uses Ice 2.1, and a server that has to use 3.1.

My server is written in C#. and since I need SSL, I have to use Ice 3.1.

I do not have control of the client, so it has to use Ice 2.1.

Can someone confirm that a 2.1 client will work with 3.1 server.

Will this work with SSL?

It seems Ice SSL is a little different between 2.1 and 3.1.
write the IceSSL properties for a 3.1 server to work with the
2.1 client.

Any help greatly appreciated!

Thanks,
Powell

[mes]

Hi Powell,

You're right, there have been a lot of changes to the SSL plug-in since version 2.1, but SSL communication should work fine between an Ice 2.1 client and a 3.1 server. I've verified (using the hello demo) that a C++ client using Ice 2.1 can communicate successfully over SSL with a C# server using Ice 3.1.

Let us know if you have any problems.

Take care,
- Mark

[gsalazar]

I work at HP on Remote Graphics Software. I am also trying to get the above configuration working.

I have taken the 'hello' demo provided with Ice and added some ADH configs. Attached you will find two zip files with the certs that I used and the modified config files, as well as the source code. One is called hello_211.zip and the other hello_310.zip. The server using Ice 3.1.0 crashes as soon as the client using Ice 2.1.1 attempts to make an invocation in secure mode.

Am I missing something about the config? Here is the config for the Ice 3.1.0 server concerning SSL:
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.Ciphers=ADH
IceSSL.VerifyPeer=0

I tried adding IceSSL.DefaultDir=certs and IceSSL.DH.1024=s_dh1024.pem to ensure a match to the clients config, but that causes the server to crash at startup time. I also tried adding IceSSL.MaxVerifyDepth=10 to more closely match the clients config, but no luck.

Any help greatly appreciated. --Gabe

[mes]

Hi Gabe,

I tried to reproduce the problem you described using your attached examples, but everything worked correctly for me. I also tried setting the following properties in the server:

IceSSL.DefaultDir=certs
IceSSL.DH.1024=s_dh1024.pem

Adding these properties did not cause the server to misbehave.

If you're still having trouble, please describe the exact nature of the crash. Please also provide your compiler and platform information.

Take care,
- Mark

[gsalazar]

Hi Mark, thanks for the reply. Here is my platform info:

Both systems are Windows XP SP2. I used Visual Studio .Net 2003 to compile the hello_211 example, and Visual Studio 2005 to compile the hello_310 example. I will try a clean and rebuild to eliminate these issues. What platforms did you use to build and run?

New question:
In C#, I am trying to configure ADH for the hello example in 3.1.0 using the following ssl config in config.server:
-----------
Ice.ThreadPerConnection=1
Ice.Plugin.IceSSL=../../../bin/icesslcs.dll:IceSSL.PluginFactory
IceSSL.DefaultDir=certs
IceSSL.Ciphers=ADH
IceSSL.VerifyPeer=0
IceSSL.DH.1024=s_dh1024.pem
------------

I get the following output - is ADH not supported within C#?
------------
server.exe: Ice.SecurityException: SecurityException
reason = "IceSSL: certificate required for server endpoint"
at IceSSL.AcceptorI..ctor(Instance instance, String adapterName, String host, Int32 port) in c:\src\vc80\stage\IceCS-3.1.0\src\IceSSL\AcceptorI.cs:line 260
at IceSSL.EndpointI.acceptor(EndpointI& endpoint, String adapterName) in c:\src\vc80\stage\IceCS-3.1.0\src\IceSSL\EndpointI.cs:line 362
at IceInternal.IncomingConnectionFactory..ctor(Instan ce instance, EndpointI e
ndpoint, ObjectAdapter adapter, String adapterName) in c:\src\vc80\stage\IceCS-3.1.0\src\Ice\ConnectionFactory.cs:line 971
at Ice.ObjectAdapterI..ctor(Instance instance, Communicator communicator, ObjectAdapterFactory objectAdapterFactory, String name, String endpointInfo, RouterPrx router) in c:\src\vc80\stage\IceCS-3.1.0\src\Ice\ObjectAdapterI.cs:line 848
at IceInternal.ObjectAdapterFactory.createObjectAdapt er(String name, String endpoints, RouterPrx router) in :\src\vc80\stage\IceCS-3.1.0\src\Ice\ObjectAdapterFactory.cs:line 122
at Ice.CommunicatorI.createObjectAdapterWithEndpoints (String name, String endpoints) in c:\src\vc80\stage\IceCS-3.1.0\src\Ice\CommunicatorI.cs:line 57
at Ice.CommunicatorI.createObjectAdapter(String name) in c:\src\vc80\stage\IceCS-3.1.0\src\Ice\CommunicatorI.cs:line 52
at Server.run(String[] args) in C:\Ice-3.1.0\democs\Ice\hello\Server.cs:line 14
at Ice.Application.main(String[] args, InitializationData initData) in c:\src\vc80\stage\IceCS-3.1.0\src\Ice\Application.cs:line 116
Press any key to continue . . .

------------

[mes]

Hi,

The SSL implementation in .NET does not support ADH as far as I know, which is why IceSSL requires a certificate.

When trying your examples, I initially used Windows XP SP2 with VC6 for the Ice 2.1.1 client and Linux for the Ice 3.1.0 server, just to make sure there were no general issues using SSL+DH between the Ice versions.

After seeing that you were using VS2005 for your server, I tried that as well on Windows XP SP2. Communication worked fine with the Ice 2.1.1 client. However, the server failed when I added the IceSSL.DefaultDir and IceSSL.DH.1024 properties and restarted it. I'll continue to investigate this.

Take care,
- Mark

[mes]

Gabe,

It looks like the problem I was experiencing was caused by the fact that I built the hello server in the Debug configuration. If I build a Release executable, I no longer get the failure. We may need to modify IceSSL so that it can use the OpenSSL DLLs regardless of whether the application is built in Debug or Release. Meanwhile, try building in Release mode if you're currently using Debug and see if that improves the situation.

Take care,
- Mark

[mes]

We'll include a fix in the next Ice release that corrects the failure you described.

- Mark