[omniORB-dev] Hardcoded TAG_SSL_SEC_TRANS supports/requires components

Duncan Grisby duncan at grisby.org
Wed Mar 8 16:15:01 GMT 2006


On Friday 3 March, "Ben Cullen" wrote:

> The supports and requires components of all omniORB SSL IORs are
> hardcoded to 96, due to the following code:

[...]
> From what I gather the supports/requires value of 96 means client and
> server authentication, i.e. no SSL:
> 64 client authentication
> 32 server authentication
> 2 integrity
> 4 confidentiality

The figure of 96 was chosen for interoperability with a version of
Visibroker that was around at the time omniORB's SSL transport was
written. There's no particular other reason for it.

omniORB itself completely ignores the values set in the
supports/requires, so you always get integrity and confidentiality, plus
client / server authentication depending on the sslVerifyMode
configuration parameter.

It's probably fine for interoperability to change the hard-coded values
to 0x66. The proper solution would be to take the verify mode into
account too. I'm not sure it's a good idea to support encryptionless
ssl.

I'd appreciate a patch to sslTransport.cc that picks the values to use
based on the verify mode.

Cheers,

Duncan.

-- 
 -- Duncan Grisby         --
  -- duncan at grisby.org     --
   -- http://www.grisby.org --



More information about the omniORB-dev mailing list