[omniORB] Callbacks in an CORBA-SSL-only environment

Daniel Krügler daniel.kruegler at gmail.com
Wed Jun 24 06:37:33 UTC 2026


Am Mo., 11. Mai 2026 um 11:09 Uhr schrieb Daniel Krügler <
daniel.kruegler at gmail.com>:

> Hi,
>
> We are currently moving our CORBA server (Based on JacORB) towards an
> SSL-only configuration, i.e. we deactivate the regular CORBA port
> completely and allow only CORBA SSL (via ssliop). Our clients are based on
> OmniORB and we currently try to find an OmniORB configuration that works
> both for a CORBA server which supports (a) both plain CORBA and CORBA SSL
> and (b) only CORBA-SSL [To clarify: The expectation is, that the client is
> connecting via CORBA SSL, but should not know whether the server accepts
> either both CORBA SSL and plain CORBA or only CORBA SSL].
>
> During my experiments I stumbled across the following issue when CORBA
> callbacks are involved (That is: The OmniORB client registers a callback on
> the  JacORB  server).
>
> Originally I had the following set in the OmniORB configuration:
>
> clientTransportRule =     *   ssl,unix,tcp,bidir
>
> serverTransportRule =    *     ssl,unix,tcp,bidir
>
> endPoint = giop:ssl::
>                = giop:tcp::
>
> (A) My expectation was that under these client settings of  endPoint
> giop:ssl::would be still preferred regardless of the server constraints,
> but that doesn't seem to hold. If the server is configured SSL-only, the
> client callback waits endlessly and is not called (without producing a
> CORBA connection error visible in the omniORB log file even under
> traceLevel=40. I found that it is required to set
>
> endPoint = giop:ssl::
>
> to ensure that a client callback is called regardless whether the server
> is configured SSL-only or not. Is this behaviour expected and my chosen
> configuration the right one? What is the reason for this?
>
> (B) Then I tested the same scenario using unidirectional connection
> instead of bidirectional configuration (The POA construction was
> correspondingly adjusted programmatically), i.e.
>
> clientTransportRule =     *   ssl,unix,tcp
>
> serverTransportRule =    *     ssl,unix,tcp
>
> endPoint = giop:ssl::
>
> Under these conditions the client callback never becomes called when being
> connected to a server configured as SSL-only. I'm wondering now, what kind
> of OmniORB setting is required to make callbacks work under such
> unidirectional conditions?
>
> Thanks for any hint,
>
> - Daniel
>

We have now understood the problems that I reported above: They have been
causes by a misconfigured JacORB server. For those experiencing similar
problems: In this server the default configuration of the following
properties was:

jacorb.security.ssl.client.supported_options=0
jacorb.security.ssl.client.required_options=0
jacorb.security.ssl.server.supported_options=0
jacorb.security.ssl.server.required_options=0

This alone is not the actual problem, because we overwrote these values
programmatically to the value 20 for each, but only partially! By making
these changes complete no changes in the omniORB setting where needed at
all, we could stay with

endPoint = giop:ssl::
               = giop:tcp::

Regards,

- Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.omniorb-support.com/pipermail/omniorb-list/attachments/20260624/68102ca2/attachment.htm>


More information about the omniORB-list mailing list