[omniORB] Fallback from SSL to TCP on CA failure?
Peter Klotz
peter.klotz at aon.at
Wed Oct 7 18:58:17 BST 2009
Hello Duncan
> On Sunday 4 October, Peter Klotz wrote:
>
> [...]
>> Is it the desired behavior that omniORB (4.1.4) performs a fallback
>> from SSL to TCP if the CA check fails?
>
> Yes, if that's what the clientTransportRule specifies. If an object
> reference contains both SSL and TCP endpoints, a client will try both
> unless its clientTransportRule tells it not to. See this bit of the
> manual:
>
> http://omniorb.sourceforge.net/omni41/omniORB/omniORB008.html#toc43
Thank you for clarifying this issue. So the case where I am not seeing
fallbacks is the wrong one.
> Why one of your methods falls back and the other doesn't, I'm not
> sure. Is it from the same client? Can you get a trace from traceLevel
> 25 traceInvocations 1 on the client?
For my tests I use one client and one server that implements several
servants.
You can find the requested output attached (Client-TL25-NoFallback.txt).
TCP port is 11260, SSL port is 11261.
These lines look strange:
Switching to TCP:
omniORB: (0) 2009-10-07 14:56:55.889763: Switch rope to use address
giop:tcp:10.18.2.48:11260
Immediately afterwards failing using SSL:
omniORB: (0) 2009-10-07 14:56:55.889861: Unable to open new
connection: giop:ssl:10.18.2.48:11261
I have reduced my client to the absolute minimum and now only one usage
pattern results in a TCP fallback:
* Obtain an object reference for servant A
* Obtain an object reference for servant B
* Call a method on object reference B. This call fails without TCP fallback.
* Now calling methods on object reference A works and uses the TCP fallback
I also attached the output of this scenario (Client-TL25-Fallback.txt).
Thanks for your help so far.
Regards, Peter.
-------------- next part --------------
omniORB: (0) 2009-10-07 17:26:47.665448: Creating ref to remote: key<NameService>
target id : IDL:omg.org/CORBA/Object:1.0
most derived id:
omniORB: (0) 2009-10-07 17:26:47.665615: Initial reference `NameService' resolved from -ORBInitRef argument / ORB registration.
omniORB: (0) 2009-10-07 17:26:47.665715: Invoke '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.665899: Client attempt to connect to giop:tcp:host:7883
omniORB: (1) 2009-10-07 17:26:47.665913: AsyncInvoker: thread id = 1 has started. Total threads = 1
omniORB: (0) 2009-10-07 17:26:47.666198: Name 'host' resolved: 10.18.2.48
omniORB: (1) 2009-10-07 17:26:47.666309: Scavenger task execute.
omniORB: (0) 2009-10-07 17:26:47.667825: Client opened connection to giop:tcp:10.18.2.48:7883
omniORB: (0) 2009-10-07 17:26:47.667931: sendChunk: to giop:tcp:10.18.2.48:7883 100 bytes
omniORB: (0) 2009-10-07 17:26:47.669098: inputMessage: from giop:tcp:10.18.2.48:7883 25 bytes
omniORB: (0) 2009-10-07 17:26:47.669202: Return '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.669300: Creating ref to remote: key<NameService>
target id : IDL:omg.org/CosNaming/NamingContext:1.0
most derived id:
2009-10-07 17:26:47.669455 V NamingService pid: 13249 tid: 47877037859360
omniORB: (0) 2009-10-07 17:26:47.669595: Invoke 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.669729: sendChunk: to giop:tcp:10.18.2.48:7883 217 bytes
omniORB: (0) 2009-10-07 17:26:47.670048: inputMessage: from giop:tcp:10.18.2.48:7883 200 bytes
omniORB: (0) 2009-10-07 17:26:47.670180: Creating ref to remote: root<8>
target id : IDL:omg.org/CORBA/Object:1.0
most derived id: IDL:ico/corba/testmc/idl/Administration:1.0
omniORB: (0) 2009-10-07 17:26:47.670293: Return 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.670404: ObjRef() -- deleted.
omniORB: (0) 2009-10-07 17:26:47.670503: Initial reference `NameService' resolved from -ORBInitRef argument / ORB registration.
omniORB: (0) 2009-10-07 17:26:47.670598: Invoke '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.670691: sendChunk: to giop:tcp:10.18.2.48:7883 100 bytes
omniORB: (0) 2009-10-07 17:26:47.670948: inputMessage: from giop:tcp:10.18.2.48:7883 25 bytes
omniORB: (0) 2009-10-07 17:26:47.671038: Return '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.671130: Creating ref to remote: key<NameService>
target id : IDL:omg.org/CosNaming/NamingContext:1.0
most derived id:
2009-10-07 17:26:47.671279 V NamingService pid: 13249 tid: 47877037859360
omniORB: (0) 2009-10-07 17:26:47.671356: Invoke 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.671451: sendChunk: to giop:tcp:10.18.2.48:7883 217 bytes
omniORB: (0) 2009-10-07 17:26:47.671728: inputMessage: from giop:tcp:10.18.2.48:7883 204 bytes
omniORB: (0) 2009-10-07 17:26:47.671837: Creating ref to remote: root<2>
target id : IDL:omg.org/CORBA/Object:1.0
most derived id: IDL:ico/corba/testmc/idl/TestNativeTypes:1.0
omniORB: (0) 2009-10-07 17:26:47.671964: Return 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 17:26:47.672065: ObjRef() -- deleted.
omniORB: (0) 2009-10-07 17:26:47.672161: LocateRequest to remote: root<2>
omniORB: (0) 2009-10-07 17:26:47.672273: Client attempt to connect to giop:ssl:10.18.2.48:11261
omniORB: (0) 2009-10-07 17:26:47.677145: openSSL error detected in sslAddress::connect. Reason: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
omniORB: (0) 2009-10-07 17:26:47.677324: Switch rope to use address giop:tcp:10.18.2.48:11260
omniORB: (0) 2009-10-07 17:26:47.677426: Unable to open new connection: giop:ssl:10.18.2.48:11261
omniORB: (0) 2009-10-07 17:26:47.677519: throw giopStream::CommFailure from giopStream.cc:1152(1,NO,TRANSIENT_ConnectFailed)
omniORB: (0) 2009-10-07 17:26:47.677770: throw TRANSIENT from omniObjRef.cc:1137 (NO,TRANSIENT_ConnectFailed)
omniORB: (0) 2009-10-07 17:26:47.678034: omniRemoteIdentity deleted.
omniORB: (0) 2009-10-07 17:26:47.678127: ObjRef(IDL:ico/corba/testmc/idl/TestNativeTypes:1.0) -- deleted.
omniORB: (0) 2009-10-07 17:26:47.678495: LocateRequest to remote: root<8>
omniORB: (0) 2009-10-07 17:26:47.678619: Client attempt to connect to giop:tcp:10.18.2.48:11260
omniORB: (0) 2009-10-07 17:26:47.678909: Client opened connection to giop:tcp:10.18.2.48:11260
omniORB: (0) 2009-10-07 17:26:47.679004: sendChunk: to giop:tcp:10.18.2.48:11260 38 bytes
omniORB: (0) 2009-10-07 17:26:47.680052: inputMessage: from giop:tcp:10.18.2.48:11260 20 bytes
omniORB: (0) 2009-10-07 17:26:47.680175: Invoke 'ping' on remote: root<8>
omniORB: (0) 2009-10-07 17:26:47.680277: Send codeset service context: (ISO-8859-1,UTF-16)
omniORB: (0) 2009-10-07 17:26:47.680374: sendChunk: to giop:tcp:10.18.2.48:11260 80 bytes
omniORB: (0) 2009-10-07 17:26:47.681229: inputMessage: from giop:tcp:10.18.2.48:11260 24 bytes
omniORB: (0) 2009-10-07 17:26:47.681321: Return 'ping' on remote: root<8>
omniORB: (0) 2009-10-07 17:26:47.681412: omniRemoteIdentity deleted.
omniORB: (0) 2009-10-07 17:26:47.681503: ObjRef(IDL:ico/corba/testmc/idl/Administration:1.0) -- deleted.
omniORB: (0) 2009-10-07 17:26:47.681603: Preparing to shutdown ORB.
-------------- next part --------------
omniORB: (0) 2009-10-07 14:56:55.880847: Creating ref to remote: key<NameService>
target id : IDL:omg.org/CORBA/Object:1.0
most derived id:
omniORB: (0) 2009-10-07 14:56:55.881033: Initial reference `NameService' resolved from -ORBInitRef argument / ORB registration.
omniORB: (0) 2009-10-07 14:56:55.881135: Invoke '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 14:56:55.881334: Client attempt to connect to giop:tcp:host:7883
omniORB: (1) 2009-10-07 14:56:55.881346: AsyncInvoker: thread id = 1 has started. Total threads = 1
omniORB: (0) 2009-10-07 14:56:55.881672: Name 'host' resolved: 10.18.2.48
omniORB: (1) 2009-10-07 14:56:55.881745: Scavenger task execute.
omniORB: (0) 2009-10-07 14:56:55.882196: Client opened connection to giop:tcp:10.18.2.48:7883
omniORB: (0) 2009-10-07 14:56:55.882302: sendChunk: to giop:tcp:10.18.2.48:7883 100 bytes
omniORB: (0) 2009-10-07 14:56:55.882783: inputMessage: from giop:tcp:10.18.2.48:7883 25 bytes
omniORB: (0) 2009-10-07 14:56:55.882905: Return '_is_a' on remote: key<NameService>
omniORB: (0) 2009-10-07 14:56:55.883016: Creating ref to remote: key<NameService>
target id : IDL:omg.org/CosNaming/NamingContext:1.0
most derived id:
omniORB: (0) 2009-10-07 14:56:55.883330: Invoke 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 14:56:55.883445: sendChunk: to giop:tcp:10.18.2.48:7883 217 bytes
omniORB: (0) 2009-10-07 14:56:55.883783: inputMessage: from giop:tcp:10.18.2.48:7883 200 bytes
omniORB: (0) 2009-10-07 14:56:55.884113: Creating ref to remote: root<8>
target id : IDL:omg.org/CORBA/Object:1.0
most derived id: IDL:ico/corba/testmc/idl/Administration:1.0
omniORB: (0) 2009-10-07 14:56:55.884235: Return 'resolve' on remote: key<NameService>
omniORB: (0) 2009-10-07 14:56:55.884358: ObjRef() -- deleted.
omniORB: (0) 2009-10-07 14:56:55.884461: LocateRequest to remote: root<8>
omniORB: (0) 2009-10-07 14:56:55.884582: Client attempt to connect to giop:ssl:10.18.2.48:11261
omniORB: (0) 2009-10-07 14:56:55.889571: openSSL error detected in sslAddress::connect. Reason: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
omniORB: (0) 2009-10-07 14:56:55.889763: Switch rope to use address giop:tcp:10.18.2.48:11260
omniORB: (0) 2009-10-07 14:56:55.889861: Unable to open new connection: giop:ssl:10.18.2.48:11261
omniORB: (0) 2009-10-07 14:56:55.889953: throw giopStream::CommFailure from giopStream.cc:1152(1,NO,TRANSIENT_ConnectFailed)
omniORB: (0) 2009-10-07 14:56:55.890227: throw TRANSIENT from omniObjRef.cc:1137 (NO,TRANSIENT_ConnectFailed)
omniORB: (0) 2009-10-07 14:56:55.890545: omniRemoteIdentity deleted.
omniORB: (0) 2009-10-07 14:56:55.890656: ObjRef(IDL:ico/corba/testmc/idl/Administration:1.0) -- deleted.
omniORB: (0) 2009-10-07 14:56:55.890768: Preparing to shutdown ORB.
More information about the omniORB-list
mailing list