aboutsummaryrefslogtreecommitdiffstats
path: root/lib/orber/src
diff options
context:
space:
mode:
authorLars Thorsen <lars@erlang.org>2011-12-02 15:27:35 +0100
committerLars Thorsen <lars@erlang.org>2011-12-05 13:45:59 +0100
commit8ad9f2bee9ca779988aa5634906751b30b07156e (patch)
tree6a897acc0b98900195b15e6a974f625adbb0186b /lib/orber/src
parent35afc84d71ae5152a78cc03c3740c37fdf54e734 (diff)
downloadotp-8ad9f2bee9ca779988aa5634906751b30b07156e.tar.gz
otp-8ad9f2bee9ca779988aa5634906751b30b07156e.tar.bz2
otp-8ad9f2bee9ca779988aa5634906751b30b07156e.zip
[orber] Change the option handling for ssl
Diffstat (limited to 'lib/orber/src')
-rw-r--r--lib/orber/src/orber.erl10
-rw-r--r--lib/orber/src/orber_env.erl289
-rw-r--r--lib/orber/src/orber_iiop_net.erl137
-rw-r--r--lib/orber/src/orber_iiop_pm.erl132
-rw-r--r--lib/orber/src/orber_socket.erl14
-rw-r--r--lib/orber/src/orber_tb.erl35
6 files changed, 417 insertions, 200 deletions
diff --git a/lib/orber/src/orber.erl b/lib/orber/src/orber.erl
index 386c07d227..4e43d42638 100644
--- a/lib/orber/src/orber.erl
+++ b/lib/orber/src/orber.erl
@@ -36,6 +36,7 @@
-export([start/0, start/1, stop/0, install/1, install/2, orber_nodes/0, iiop_port/0,
domain/0, iiop_ssl_port/0, iiop_out_ports/0, iiop_out_ports_random/0,
iiop_out_ports_attempts/0,
+ ssl_server_opts/0, ssl_client_opts/0, set_ssl_client_opts/1,
ssl_server_certfile/0, ssl_client_certfile/0, set_ssl_client_certfile/1,
ssl_server_verify/0, ssl_client_verify/0, set_ssl_client_verify/1,
ssl_server_depth/0, ssl_client_depth/0, set_ssl_client_depth/1,
@@ -524,6 +525,15 @@ iiop_ssl_port() ->
nat_iiop_ssl_port() ->
orber_env:nat_iiop_ssl_port().
+ssl_server_opts() ->
+ orber_env:ssl_server_opts().
+
+ssl_client_opts() ->
+ orber_env:ssl_client_opts().
+
+set_ssl_client_opts(Value) ->
+ orber_env:set_ssl_client_opts(Value).
+
ssl_server_certfile() ->
orber_env:ssl_server_certfile().
diff --git a/lib/orber/src/orber_env.erl b/lib/orber/src/orber_env.erl
index d80edb4ee0..8fb3908710 100644
--- a/lib/orber/src/orber_env.erl
+++ b/lib/orber/src/orber_env.erl
@@ -20,7 +20,7 @@
%%
%%-----------------------------------------------------------------
%% File: orber_env.erl
-%%
+%%
%% Description:
%% Handling environment parameters for Orber.
%%
@@ -49,20 +49,22 @@
iiop_max_in_connections/0, iiop_backlog/0, objectkeys_gc_time/0,
get_ORBInitRef/0, get_ORBDefaultInitRef/0, get_interceptors/0,
get_local_interceptors/0, get_cached_interceptors/0,
- set_interceptors/1, is_lightweight/0, get_lightweight_nodes/0, secure/0,
+ set_interceptors/1, is_lightweight/0, get_lightweight_nodes/0, secure/0,
iiop_ssl_backlog/0, iiop_ssl_port/0, nat_iiop_ssl_port/0, nat_iiop_ssl_port/1,
+ ssl_server_opts/0, ssl_client_opts/0, set_ssl_client_opts/1,
ssl_server_certfile/0, ssl_client_certfile/0, set_ssl_client_certfile/1,
ssl_server_verify/0, ssl_client_verify/0, set_ssl_client_verify/1,
ssl_server_depth/0, ssl_client_depth/0, set_ssl_client_depth/1,
- ssl_server_cacertfile/0, ssl_client_cacertfile/0,
+ ssl_server_cacertfile/0, ssl_client_cacertfile/0,
set_ssl_client_cacertfile/1, ssl_client_password/0,
ssl_server_password/0, ssl_client_keyfile/0, ssl_server_keyfile/0,
ssl_client_ciphers/0, ssl_server_ciphers/0, ssl_client_cachetimeout/0,
- ssl_server_cachetimeout/0, get_flags/0, typechecking/0,
+ ssl_server_cachetimeout/0,
+ get_flags/0, typechecking/0,
exclude_codeset_ctx/0, exclude_codeset_component/0, partial_security/0,
use_CSIv2/0, use_FT/0, ip_version/0, light_ifr/0, bidir_context/0,
get_debug_level/0, getaddrstr/2, addr2str/1, iiop_packet_size/0,
- iiop_ssl_ip_address_local/0, ip_address_local/0, iiop_in_keepalive/0,
+ iiop_ssl_ip_address_local/0, ip_address_local/0, iiop_in_keepalive/0,
iiop_out_keepalive/0, iiop_ssl_in_keepalive/0, iiop_ssl_out_keepalive/0,
iiop_ssl_accept_timeout/0, ssl_generation/0]).
@@ -87,38 +89,39 @@
[flags, iiop_port, nat_iiop_port, iiop_out_ports, domain, ip_address,
nat_ip_address, giop_version, iiop_timeout, iiop_connection_timeout,
iiop_setup_connection_timeout, iiop_in_connection_timeout, iiop_acl,
- iiop_max_fragments, iiop_max_in_requests, iiop_max_in_connections,
+ iiop_max_fragments, iiop_max_in_requests, iiop_max_in_connections,
iiop_backlog, objectkeys_gc_time, orbInitRef, orbDefaultInitRef,
interceptors, local_interceptors, lightweight, ip_address_local,
- secure, iiop_ssl_ip_address_local, iiop_ssl_backlog,
- iiop_ssl_port, nat_iiop_ssl_port, ssl_server_certfile,
- ssl_client_certfile, ssl_server_verify, ssl_client_verify, ssl_server_depth,
- ssl_client_depth, ssl_server_cacertfile, ssl_client_cacertfile,
- ssl_client_password, ssl_server_password, ssl_client_keyfile,
- ssl_server_keyfile, ssl_client_ciphers, ssl_server_ciphers,
+ secure, iiop_ssl_ip_address_local, iiop_ssl_backlog,
+ iiop_ssl_port, nat_iiop_ssl_port, ssl_server_certfile,
+ ssl_client_certfile, ssl_server_verify, ssl_client_verify, ssl_server_depth,
+ ssl_client_depth, ssl_server_cacertfile, ssl_client_cacertfile,
+ ssl_client_password, ssl_server_password, ssl_client_keyfile,
+ ssl_server_keyfile, ssl_client_ciphers, ssl_server_ciphers,
ssl_client_cachetimeout, ssl_server_cachetimeout, orber_debug_level,
iiop_packet_size, iiop_in_keepalive, iiop_out_keepalive,
- iiop_ssl_in_keepalive, iiop_ssl_out_keepalive, iiop_ssl_accept_timeout]).
+ iiop_ssl_in_keepalive, iiop_ssl_out_keepalive, iiop_ssl_accept_timeout,
+ ssl_server_opts, ssl_client_opts]).
%% The 'flags' parameter must be first in the list.
%-define(ENV_KEYS,
-% [{flags, ?ORB_ENV_INIT_FLAGS}, {iiop_port, 4001}, nat_iiop_port,
-% {iiop_out_ports, 0}, {domain, "ORBER"}, ip_address, nat_ip_address,
-% {giop_version, {1, 1}}, {iiop_timeout, infinity},
-% {iiop_connection_timeout, infinity}, {iiop_setup_connection_timeout, infinity},
+% [{flags, ?ORB_ENV_INIT_FLAGS}, {iiop_port, 4001}, nat_iiop_port,
+% {iiop_out_ports, 0}, {domain, "ORBER"}, ip_address, nat_ip_address,
+% {giop_version, {1, 1}}, {iiop_timeout, infinity},
+% {iiop_connection_timeout, infinity}, {iiop_setup_connection_timeout, infinity},
% {iiop_in_connection_timeout, infinity}, {iiop_acl, []},
-% {iiop_max_fragments, infinity}, {iiop_max_in_requests, infinity},
-% {iiop_max_in_connections, infinity}, {iiop_backlog, 5},
-% {objectkeys_gc_time, infinity},
+% {iiop_max_fragments, infinity}, {iiop_max_in_requests, infinity},
+% {iiop_max_in_connections, infinity}, {iiop_backlog, 5},
+% {objectkeys_gc_time, infinity},
% {orbInitRef, undefined}, {orbDefaultInitRef, undefined},
% {interceptors, false}, {local_interceptors, false}, {lightweight, false},
-% {secure, no}, {iiop_ssl_backlog, 5}, {iiop_ssl_port, 4002},
+% {secure, no}, {iiop_ssl_backlog, 5}, {iiop_ssl_port, 4002},
% nat_iiop_ssl_port, {ssl_server_certfile, []}, {ssl_client_certfile, []},
-% {ssl_server_verify, 0}, {ssl_client_verify, 0}, {ssl_server_depth, 1},
-% {ssl_client_depth, 1}, {ssl_server_cacertfile, []},
+% {ssl_server_verify, 0}, {ssl_client_verify, 0}, {ssl_server_depth, 1},
+% {ssl_client_depth, 1}, {ssl_server_cacertfile, []},
% {ssl_client_cacertfile, []}, {ssl_client_password, []},
-% {ssl_server_password, []}, {ssl_client_keyfile, []},
-% {ssl_server_keyfile, []}, {ssl_client_ciphers, []},
+% {ssl_server_password, []}, {ssl_client_keyfile, []},
+% {ssl_server_keyfile, []}, {ssl_client_ciphers, []},
% {ssl_server_ciphers, []}, {ssl_client_cachetimeout, infinity},
% {ssl_server_cachetimeout, infinity}, {orber_debug_level, 0}]).
@@ -129,33 +132,33 @@
%%-----------------------------------------------------------------
%% External functions
-%%-----------------------------------------------------------------
%%-----------------------------------------------------------------
-%% function :
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%%-----------------------------------------------------------------
+%% function :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
start(Opts) ->
gen_server:start_link({local, orber_env}, ?MODULE, Opts, []).
%%-----------------------------------------------------------------
%% function : get_keys
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
get_keys() ->
?ENV_KEYS.
%%-----------------------------------------------------------------
%% function : get_env
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
get_env(Key) when is_atom(Key) ->
case catch ets:lookup(?ENV_DB, Key) of
@@ -164,13 +167,13 @@ get_env(Key) when is_atom(Key) ->
_ ->
undefined
end.
-
+
%%-----------------------------------------------------------------
%% function : get_env
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
set_env(Key, Value) when is_atom(Key) ->
case catch ets:insert(?ENV_DB, #parameters{key = Key, value = Value}) of
@@ -179,20 +182,20 @@ set_env(Key, Value) when is_atom(Key) ->
_ ->
undefined
end.
-
+
%%-----------------------------------------------------------------
%% function : info
%% Arguments: IoDervice - info_msg | string | io | {io, Dev}
-%% Returns :
-%% Exception:
-%% Effect :
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
info() ->
info(info_msg).
info(IoDevice) ->
- Info =
+ Info =
case orber_tb:is_running() of
true ->
Info1 = create_main_info(),
@@ -211,7 +214,7 @@ info(IoDevice) ->
string ->
Info;
io ->
- io:format("~s", [Info]);
+ io:format("~s", [Info]);
{io, Dev} ->
io:format(Dev, "~s", [Info]);
_ ->
@@ -220,14 +223,14 @@ info(IoDevice) ->
create_main_info() ->
{Major, Minor} = giop_version(),
- [io_lib:format("======= Orber Execution Environment ======~n"
+ [io_lib:format("======= Orber Execution Environment ======~n"
"Orber version.................: ~s~n"
"Orber domain..................: ~s~n"
"IIOP port number..............: ~p~n"
"IIOP NAT port number..........: ~p~n"
"Interface(s)..................: ~p~n"
"Interface(s) NAT..............: ~p~n"
- "Local Interface (default).....: ~p~n"
+ "Local Interface (default).....: ~p~n"
"Nodes in domain...............: ~p~n"
"GIOP version (default)........: ~p.~p~n"
"IIOP out timeout..............: ~p msec~n"
@@ -254,18 +257,18 @@ create_main_info() ->
"Debug Level...................: ~p~n"
"orbInitRef....................: ~p~n"
"orbDefaultInitRef.............: ~p~n",
- [?ORBVSN, domain(), iiop_port(), nat_iiop_port(), host(),
+ [?ORBVSN, domain(), iiop_port(), nat_iiop_port(), host(),
nat_host(), ip_address_local(),
orber:orber_nodes(), Major, Minor,
- iiop_timeout(), iiop_connection_timeout(),
+ iiop_timeout(), iiop_connection_timeout(),
iiop_setup_connection_timeout(), iiop_out_ports(),
iiop_out_ports_attempts(), iiop_out_ports_random(),
- orber:iiop_connections(out), orber:iiop_connections_pending(),
- iiop_out_keepalive(), orber:iiop_connections(in),
- iiop_in_connection_timeout(), iiop_in_keepalive(),
- iiop_max_fragments(), iiop_max_in_requests(),
+ orber:iiop_connections(out), orber:iiop_connections_pending(),
+ iiop_out_keepalive(), orber:iiop_connections(in),
+ iiop_in_connection_timeout(), iiop_in_keepalive(),
+ iiop_max_fragments(), iiop_max_in_requests(),
iiop_max_in_connections(), iiop_backlog(), iiop_acl(),
- iiop_packet_size(), objectkeys_gc_time(), get_interceptors(),
+ iiop_packet_size(), objectkeys_gc_time(), get_interceptors(),
get_local_interceptors(), get_debug_level(), get_ORBInitRef(),
get_ORBDefaultInitRef()])].
@@ -277,7 +280,7 @@ create_flag_info(Info) ->
FlagData = check_flags(?ORB_ENV_FLAGS, Flags, []),
[Info, "System Flags Set..............: \n", FlagData, "\n"]
end.
-
+
check_flags([], _, Acc) ->
Acc;
check_flags([{Flag, Txt}|T], Flags, Acc) when ?ORB_FLAG_TEST(Flags, Flag) ->
@@ -289,7 +292,7 @@ check_flags([_|T], Flags, Acc) ->
create_security_info(no, Info) ->
lists:flatten([Info, "=========================================\n"]);
create_security_info(ssl, Info) ->
- lists:flatten([Info,
+ lists:flatten([Info,
io_lib:format("ORB security..................: ssl~n"
"SSL generation................: ~p~n"
"SSL IIOP in keepalive.........: ~p~n"
@@ -316,26 +319,26 @@ create_security_info(ssl, Info) ->
"SSL client ciphers............: ~p~n"
"SSL client cachetimeout.......: ~p~n"
"=========================================~n",
- [ssl_generation(), iiop_ssl_port(),
+ [ssl_generation(), iiop_ssl_port(),
iiop_ssl_in_keepalive(), iiop_ssl_out_keepalive(),
- nat_iiop_ssl_port(), iiop_ssl_accept_timeout(),
+ nat_iiop_ssl_port(), iiop_ssl_accept_timeout(),
iiop_ssl_backlog(), iiop_ssl_ip_address_local(),
ssl_server_certfile(), ssl_server_verify(),
- ssl_server_depth(), ssl_server_cacertfile(),
- ssl_server_keyfile(), ssl_server_password(),
+ ssl_server_depth(), ssl_server_cacertfile(),
+ ssl_server_keyfile(), ssl_server_password(),
ssl_server_ciphers(), ssl_server_cachetimeout(),
- ssl_client_certfile(), ssl_client_verify(),
- ssl_client_depth(), ssl_client_cacertfile(),
+ ssl_client_certfile(), ssl_client_verify(),
+ ssl_client_depth(), ssl_client_cacertfile(),
ssl_client_keyfile(), ssl_client_password(),
ssl_client_ciphers(), ssl_client_cachetimeout()])]).
%%-----------------------------------------------------------------
%% function : iiop_acl
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
iiop_acl() ->
case application:get_env(orber, iiop_acl) of
@@ -352,7 +355,7 @@ iiop_packet_size() ->
_ ->
infinity
end.
-
+
iiop_port() ->
case application:get_env(orber, iiop_port) of
@@ -368,7 +371,7 @@ nat_iiop_port() ->
Port;
{ok, {local, Default, _NATList}} ->
Default;
- _ ->
+ _ ->
iiop_port()
end.
@@ -378,7 +381,7 @@ nat_iiop_port(LocalPort) ->
Port;
{ok, {local, Default, NATList}} ->
orber_tb:keysearch(LocalPort, NATList, Default);
- _ ->
+ _ ->
iiop_port()
end.
@@ -407,9 +410,9 @@ iiop_out_ports_attempts() ->
_ ->
1
end.
-
-domain() ->
+
+domain() ->
case application:get_env(orber, domain) of
{ok, Domain} when is_list(Domain) ->
Domain;
@@ -449,7 +452,7 @@ nat_host([Host]) ->
{ok,{multiple, [I|_] = IList}} when is_list(I) ->
IList;
{ok,{local, Default, NATList}} ->
- [orber_tb:keysearch(Host, NATList, Default)];
+ [orber_tb:keysearch(Host, NATList, Default)];
_ ->
host()
end.
@@ -462,7 +465,7 @@ host() ->
{ok,{multiple, [I|_] = IList}} when is_list(I) ->
IList;
%% IPv4. For IPv6 we only accept a string, but we must support this format
- %% for IPv4
+ %% for IPv4
{ok, {A1, A2, A3, A4}} when is_integer(A1+A2+A3+A4) ->
[integer_to_list(A1) ++ "." ++ integer_to_list(A2) ++ "." ++ integer_to_list(A3)
++ "." ++ integer_to_list(A4)];
@@ -489,7 +492,7 @@ ip_address_local() ->
_ ->
[]
end.
-
+
ip_address() ->
ip_address(ip_version()).
@@ -526,7 +529,7 @@ addr2str({A1, A2, A3, A4, A5, A6, A7, A8}) ->
int16_to_hex(A3) ++ ":" ++ int16_to_hex(A4) ++ ":" ++
int16_to_hex(A5) ++ ":" ++ int16_to_hex(A6) ++ ":" ++
int16_to_hex(A7) ++ ":" ++ int16_to_hex(A8).
-
+
int16_to_hex(0) ->
[$0];
@@ -613,7 +616,7 @@ iiop_max_fragments() ->
_ ->
infinity
end.
-
+
iiop_max_in_requests() ->
case application:get_env(orber, iiop_max_in_requests) of
{ok, Max} when is_integer(Max) andalso Max > 0 ->
@@ -653,7 +656,7 @@ iiop_out_keepalive() ->
_ ->
false
end.
-
+
get_flags() ->
@@ -706,9 +709,9 @@ bidir_context() ->
?ORB_FLAG_TEST(Flags, ?ORB_ENV_USE_BI_DIR_IIOP) ->
[#'IOP_ServiceContext'
{context_id=?IOP_BI_DIR_IIOP,
- context_data =
- #'IIOP_BiDirIIOPServiceContext'{listen_points =
- [#'IIOP_ListenPoint'{host=host(),
+ context_data =
+ #'IIOP_BiDirIIOPServiceContext'{listen_points =
+ [#'IIOP_ListenPoint'{host=host(),
port=iiop_port()}]}}];
true ->
[]
@@ -819,7 +822,7 @@ get_lightweight_nodes() ->
_ ->
false
end.
-
+
%%-----------------------------------------------------------------
%% Security access operations (SSL)
@@ -838,8 +841,8 @@ ssl_generation() ->
V;
_ ->
2
- end.
-
+ end.
+
iiop_ssl_ip_address_local() ->
case application:get_env(orber, iiop_ssl_ip_address_local) of
{ok,I} when is_list(I) ->
@@ -876,10 +879,10 @@ iiop_ssl_accept_timeout() ->
case application:get_env(orber, iiop_ssl_accept_timeout) of
{ok, N} when is_integer(N) ->
N * 1000;
- _ ->
+ _ ->
infinity
end.
-
+
iiop_ssl_port() ->
case application:get_env(orber, secure) of
{ok, ssl} ->
@@ -923,6 +926,52 @@ nat_iiop_ssl_port(LocalPort) ->
-1
end.
+ssl_server_opts() ->
+ case application:get_env(orber, ssl_server_opts) of
+ {ok, V1} when is_list(V1) ->
+ V1;
+ _ ->
+ []
+ end.
+
+ssl_client_opts() ->
+ case application:get_env(orber, ssl_client_opts) of
+ {ok, V1} when is_list(V1) ->
+ V1;
+ _ ->
+ []
+ end.
+
+check_ssl_opts(Value) ->
+ check_ssl_opts(Value, []).
+check_ssl_opts([], []) ->
+ ok;
+check_ssl_opts([], Acc) ->
+ {error, Acc};
+check_ssl_opts([{active, _} |T], Acc) ->
+ check_ssl_opts(T, [active |Acc]);
+check_ssl_opts([{packet, _} |T], Acc) ->
+ check_ssl_opts(T, [packet |Acc]);
+check_ssl_opts([{mode, _} |T], Acc) ->
+ check_ssl_opts(T, [mode |Acc]);
+check_ssl_opts([list |T], Acc) ->
+ check_ssl_opts(T, [list |Acc]);
+check_ssl_opts([binary |T], Acc) ->
+ check_ssl_opts(T, [binary |Acc]);
+check_ssl_opts([_ |T], Acc) ->
+ check_ssl_opts(T, Acc).
+
+set_ssl_client_opts(Value) when is_list(Value) ->
+ case check_ssl_opts(Value) of
+ ok ->
+ ok;
+ {error, List} ->
+ exit(lists:flatten(
+ io_lib:format("TCP options ~p is not allowed in set_ssl_client_opts()",
+ [List])))
+ end,
+ put(ssl_client_opts, Value), ok.
+
ssl_server_certfile() ->
case application:get_env(orber, ssl_server_certfile) of
{ok, V1} when is_list(V1) ->
@@ -932,7 +981,7 @@ ssl_server_certfile() ->
_ ->
[]
end.
-
+
ssl_client_certfile() ->
case get(ssl_client_certfile) of
undefined ->
@@ -950,7 +999,7 @@ ssl_client_certfile() ->
set_ssl_client_certfile(Value) when is_list(Value) ->
put(ssl_client_certfile, Value).
-
+
ssl_server_verify() ->
Verify = case application:get_env(orber, ssl_server_verify) of
{ok, V} when is_integer(V) ->
@@ -964,7 +1013,7 @@ ssl_server_verify() ->
true ->
0
end.
-
+
ssl_client_verify() ->
Verify = case get(ssl_client_verify) of
undefined ->
@@ -986,7 +1035,7 @@ ssl_client_verify() ->
set_ssl_client_verify(Value) when is_integer(Value) andalso Value =< 2 andalso Value >= 0 ->
put(ssl_client_verify, Value), ok.
-
+
ssl_server_depth() ->
case application:get_env(orber, ssl_server_depth) of
{ok, V1} when is_integer(V1) ->
@@ -994,7 +1043,7 @@ ssl_server_depth() ->
_ ->
1
end.
-
+
ssl_client_depth() ->
case get(ssl_client_depth) of
undefined ->
@@ -1010,7 +1059,7 @@ ssl_client_depth() ->
set_ssl_client_depth(Value) when is_integer(Value) ->
put(ssl_client_depth, Value), ok.
-
+
ssl_server_cacertfile() ->
@@ -1022,7 +1071,7 @@ ssl_server_cacertfile() ->
_ ->
[]
end.
-
+
ssl_client_cacertfile() ->
case get(ssl_client_cacertfile) of
undefined ->
@@ -1040,7 +1089,7 @@ ssl_client_cacertfile() ->
set_ssl_client_cacertfile(Value) when is_list(Value) ->
put(ssl_client_cacertfile, Value), ok.
-
+
ssl_client_password() ->
case application:get_env(orber, ssl_client_password) of
@@ -1108,10 +1157,10 @@ ssl_server_cachetimeout() ->
%%-----------------------------------------------------------------
%% function : configure
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
configure(Key, Value) when is_atom(Key) ->
configure(Key, Value, check);
@@ -1125,10 +1174,10 @@ configure_override(Key, _) ->
%%-----------------------------------------------------------------
%% function : multi_configure
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
multi_configure(KeyValueList) when is_list(KeyValueList) ->
case orber_tb:is_loaded() of
@@ -1144,7 +1193,7 @@ multi_configure(KeyValueList) when is_list(KeyValueList) ->
end
end;
multi_configure(KeyValueList) ->
- ?EFORMAT("Given configuration parameters not a Key-Value-pair list: ~p",
+ ?EFORMAT("Given configuration parameters not a Key-Value-pair list: ~p",
[KeyValueList]).
multi_configure_helper([], _) ->
@@ -1237,7 +1286,7 @@ configure(iiop_port, Value, Status) when is_integer(Value) ->
%% Set the NAT listen port
configure(nat_iiop_port, Value, Status) when is_integer(Value) andalso Value > 0 ->
do_safe_configure(nat_iiop_port, Value, Status);
-configure(nat_iiop_port, {local, Value1, Value2}, Status) when is_integer(Value1) andalso
+configure(nat_iiop_port, {local, Value1, Value2}, Status) when is_integer(Value1) andalso
Value1 > 0 andalso
is_list(Value2) ->
do_safe_configure(nat_iiop_port, {local, Value1, Value2}, Status);
@@ -1312,12 +1361,20 @@ configure(iiop_ssl_backlog, Value, Status) when is_integer(Value) andalso Value
do_safe_configure(iiop_ssl_backlog, Value, Status);
configure(nat_iiop_ssl_port, Value, Status) when is_integer(Value) andalso Value > 0 ->
do_safe_configure(nat_iiop_ssl_port, Value, Status);
-configure(nat_iiop_ssl_port, {local, Value1, Value2}, Status) when is_integer(Value1) andalso
+configure(nat_iiop_ssl_port, {local, Value1, Value2}, Status) when is_integer(Value1) andalso
Value1 > 0 andalso
is_list(Value2) ->
do_safe_configure(nat_iiop_ssl_port, {local, Value1, Value2}, Status);
configure(iiop_ssl_port, Value, Status) when is_integer(Value) ->
do_safe_configure(iiop_ssl_port, Value, Status);
+
+%% New SSL options
+configure(ssl_server_opts, Value, Status) when is_list(Value) ->
+ do_safe_configure(ssl_server_opts, Value, Status);
+configure(ssl_client_opts, Value, Status) when is_list(Value) ->
+ do_safe_configure(ssl_client_opts, Value, Status);
+
+%% Old SSL options
configure(ssl_server_certfile, Value, Status) when is_list(Value) ->
do_safe_configure(ssl_server_certfile, Value, Status);
configure(ssl_server_certfile, Value, Status) when is_atom(Value) ->
@@ -1434,9 +1491,9 @@ code_change(_OldVsn, State, _Extra) ->
%%-----------------------------------------------------------------
%% function : env
-%% Arguments:
-%% Returns :
-%% Exception:
+%% Arguments:
+%% Returns :
+%% Exception:
%% Effect : Used when Key always exists (Default Value)
%%-----------------------------------------------------------------
env(Key) ->
@@ -1445,10 +1502,10 @@ env(Key) ->
%%-----------------------------------------------------------------
%% function : init_env
-%% Arguments:
-%% Returns :
-%% Exception:
-%% Effect :
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
%%-----------------------------------------------------------------
init_env() ->
application:load(orber),
diff --git a/lib/orber/src/orber_iiop_net.erl b/lib/orber/src/orber_iiop_net.erl
index 58eba9f039..5620b5d94f 100644
--- a/lib/orber/src/orber_iiop_net.erl
+++ b/lib/orber/src/orber_iiop_net.erl
@@ -161,31 +161,51 @@ terminate(_Reason, _State) ->
%%-----------------------------------------------------------------
get_options(normal, _Options) ->
[];
-get_options(ssl, Options) ->
- Verify = orber_tb:keysearch(ssl_server_verify, Options,
- orber_env:ssl_server_verify()),
- Depth = orber_tb:keysearch(ssl_server_depth, Options,
- orber_env:ssl_server_depth()),
- Cert = orber_tb:keysearch(ssl_server_certfile, Options,
- orber_env:ssl_server_certfile()),
- CaCert = orber_tb:keysearch(ssl_server_cacertfile, Options,
- orber_env:ssl_server_cacertfile()),
- Pwd = orber_tb:keysearch(ssl_server_password, Options,
- orber_env:ssl_server_password()),
- Key = orber_tb:keysearch(ssl_server_keyfile, Options,
- orber_env:ssl_server_keyfile()),
- Ciphers = orber_tb:keysearch(ssl_server_ciphers, Options,
- orber_env:ssl_server_ciphers()),
- Timeout = orber_tb:keysearch(ssl_server_cachetimeout, Options,
- orber_env:ssl_server_cachetimeout()),
- [{verify, Verify},
- {depth, Depth} |
- ssl_server_extra_options([{certfile, Cert},
- {cacertfile, CaCert},
- {password, Pwd},
- {keyfile, Key},
- {ciphers, Ciphers},
- {cachetimeout, Timeout}], [])].
+get_options(ssl, Options) ->
+ SSLOpts =
+ case orber_tb:keysearch(ssl_server_opts, Options,
+ orber_env:ssl_server_opts()) of
+ [] ->
+ Verify = orber_tb:keysearch(ssl_server_verify, Options,
+ orber_env:ssl_server_verify()),
+ Depth = orber_tb:keysearch(ssl_server_depth, Options,
+ orber_env:ssl_server_depth()),
+ Cert = orber_tb:keysearch(ssl_server_certfile, Options,
+ orber_env:ssl_server_certfile()),
+ CaCert = orber_tb:keysearch(ssl_server_cacertfile, Options,
+ orber_env:ssl_server_cacertfile()),
+ Pwd = orber_tb:keysearch(ssl_server_password, Options,
+ orber_env:ssl_server_password()),
+ Key = orber_tb:keysearch(ssl_server_keyfile, Options,
+ orber_env:ssl_server_keyfile()),
+ Ciphers = orber_tb:keysearch(ssl_server_ciphers, Options,
+ orber_env:ssl_server_ciphers()),
+ Timeout = orber_tb:keysearch(ssl_server_cachetimeout, Options,
+ orber_env:ssl_server_cachetimeout()),
+ KeepAlive = orber_tb:keysearch(ssl_server_cachetimeout, Options,
+ orber_env:iiop_ssl_in_keepalive()),
+ [{verify, Verify},
+ {depth, Depth},
+ {certfile, Cert},
+ {cacertfile, CaCert},
+ {password, Pwd},
+ {keyfile, Key},
+ {ciphers, Ciphers},
+ {cachetimeout, Timeout},
+ {keepalive, KeepAlive}];
+ Opts ->
+ case orber_tb:check_illegal_tcp_options(Opts) of
+ ok ->
+ check_old_ssl_server_options(Options),
+ Opts;
+ {error, IllegalOpts} ->
+ error_logger:error_report([{application, orber},
+ "TCP options not allowed to set on a connection",
+ IllegalOpts]),
+ error("Illegal TCP option")
+ end
+ end,
+ ssl_server_extra_options(SSLOpts, []).
%%-----------------------------------------------------------------
%% Func: parse_options/2
@@ -266,23 +286,28 @@ handle_call({add, IP, Type, Port, AllOptions}, _From, State) ->
Family = orber_env:ip_version(),
case inet:getaddr(IP, Family) of
{ok, IPTuple} ->
- Options = [{ip, IPTuple}|get_options(Type, AllOptions)],
- Ref = make_ref(),
- ProxyOptions = filter_options(AllOptions, []),
- case orber_socket:listen(Type, Port, Options, false) of
- {ok, Listen, NewPort} ->
- {ok, Pid} = orber_iiop_socketsup:start_accept(Type, Listen, Ref,
- ProxyOptions),
- link(Pid),
- ets:insert(?CONNECTION_DB, #listen{pid = Pid,
- socket = Listen,
- port = NewPort,
- type = Type, ref = Ref,
- options = Options,
- proxy_options = ProxyOptions}),
- {reply, {ok, Ref}, State};
- Error ->
- {reply, Error, State}
+ try [{ip, IPTuple} |get_options(Type, AllOptions)] of
+ Options ->
+ Ref = make_ref(),
+ ProxyOptions = filter_options(AllOptions, []),
+ case orber_socket:listen(Type, Port, Options, false) of
+ {ok, Listen, NewPort} ->
+ {ok, Pid} = orber_iiop_socketsup:start_accept(Type, Listen, Ref,
+ ProxyOptions),
+ link(Pid),
+ ets:insert(?CONNECTION_DB, #listen{pid = Pid,
+ socket = Listen,
+ port = NewPort,
+ type = Type, ref = Ref,
+ options = Options,
+ proxy_options = ProxyOptions}),
+ {reply, {ok, Ref}, State};
+ Error ->
+ {reply, Error, State}
+ end
+ catch
+ error:Reason ->
+ {reply, {error, Reason}, State}
end;
Other ->
{reply, Other, State}
@@ -461,3 +486,31 @@ update_counter(#state{max_connections = infinity} = State, _) ->
update_counter(State, Value) ->
State#state{counter = State#state.counter + Value}.
+
+check_old_ssl_server_options(Options) ->
+ try
+ 0 = orber_tb:keysearch(ssl_server_verify, Options,
+ orber_env:ssl_server_verify()),
+ 1 = orber_tb:keysearch(ssl_server_depth, Options,
+ orber_env:ssl_server_depth()),
+ [] = orber_tb:keysearch(ssl_server_certfile, Options,
+ orber_env:ssl_server_certfile()),
+ [] = orber_tb:keysearch(ssl_server_cacertfile, Options,
+ orber_env:ssl_server_cacertfile()),
+ [] = orber_tb:keysearch(ssl_server_password, Options,
+ orber_env:ssl_server_password()),
+ [] = orber_tb:keysearch(ssl_server_keyfile, Options,
+ orber_env:ssl_server_keyfile()),
+ [] = orber_tb:keysearch(ssl_server_ciphers, Options,
+ orber_env:ssl_server_ciphers()),
+ infinity = orber_tb:keysearch(ssl_server_cachetimeout, Options,
+ orber_env:ssl_server_cachetimeout()),
+ false = orber_tb:keysearch(iiop_ssl_in_keepalive, Options,
+ orber_env:iiop_ssl_in_keepalive())
+ catch
+ _:_ ->
+ io:format("hej\n",[]),
+ error_logger:warning_report([{application, orber},
+ "Ignoring deprecated ssl server options used together with the ssl_server_opts"])
+ end.
+
diff --git a/lib/orber/src/orber_iiop_pm.erl b/lib/orber/src/orber_iiop_pm.erl
index bf36b353bc..d86de36939 100644
--- a/lib/orber/src/orber_iiop_pm.erl
+++ b/lib/orber/src/orber_iiop_pm.erl
@@ -108,44 +108,82 @@ connect(Host, Port, SocketType, Timeout, Chars, Wchars, Ctx)
end.
get_ssl_socket_options([]) ->
- [{verify, orber:ssl_client_verify()},
- {depth, orber:ssl_client_depth()} |
- ssl_client_extra_options([{certfile, orber:ssl_client_certfile()},
- {cacertfile, orber:ssl_client_cacertfile()},
- {password, orber:ssl_client_password()},
- {keyfile, orber:ssl_client_keyfile()},
- {ciphers, orber:ssl_client_ciphers()},
- {cachetimeout, orber:ssl_client_cachetimeout()}], [])];
+ SSLOpts =
+ case orber_env:ssl_client_opts() of
+ [] ->
+ [{verify, orber_env:ssl_client_verify()},
+ {depth, orber_env:ssl_client_depth()},
+ {certfile, orber_env:ssl_client_certfile()},
+ {cacertfile, orber_env:ssl_client_cacertfile()},
+ {password, orber_env:ssl_client_password()},
+ {keyfile, orber_env:ssl_client_keyfile()},
+ {ciphers, orber_env:ssl_client_ciphers()},
+ {cachetimeout, orber_env:ssl_client_cachetimeout()},
+ {keepalive, orber_env:iiop_ssl_out_keepalive()}];
+ Opts ->
+ case orber_tb:check_illegal_tcp_options(Opts) of
+ ok ->
+ check_old_ssl_client_options([]),
+ Opts;
+ {error, IllegalOpts} ->
+ error_logger:error_report([{application, orber},
+ "TCP options not allowed to set on a connection",
+ IllegalOpts]),
+ error("Illegal TCP option")
+ end
+ end,
+ ssl_client_extra_options(SSLOpts, []);
get_ssl_socket_options([#'IOP_ServiceContext'
{context_id=?ORBER_GENERIC_CTX_ID,
context_data = {configuration, Options}}|_]) ->
- Verify = orber_tb:keysearch(ssl_client_verify, Options,
- orber_env:ssl_client_verify()),
- Depth = orber_tb:keysearch(ssl_client_depth, Options,
- orber_env:ssl_client_depth()),
- Cert = orber_tb:keysearch(ssl_client_certfile, Options,
- orber_env:ssl_client_certfile()),
- CaCert = orber_tb:keysearch(ssl_client_cacertfile, Options,
- orber_env:ssl_client_cacertfile()),
- Pwd = orber_tb:keysearch(ssl_client_password, Options,
- orber_env:ssl_client_password()),
- Key = orber_tb:keysearch(ssl_client_keyfile, Options,
- orber_env:ssl_client_keyfile()),
- Ciphers = orber_tb:keysearch(ssl_client_ciphers, Options,
- orber_env:ssl_client_ciphers()),
- Timeout = orber_tb:keysearch(ssl_client_cachetimeout, Options,
- orber_env:ssl_client_cachetimeout()),
- [{verify, Verify},
- {depth, Depth} |
- ssl_client_extra_options([{certfile, Cert},
- {cacertfile, CaCert},
- {password, Pwd},
- {keyfile, Key},
- {ciphers, Ciphers},
- {cachetimeout, Timeout}], [])];
+ SSLOpts =
+ case orber_tb:keysearch(ssl_client_opts, Options,
+ orber_env:ssl_client_opts()) of
+ [] ->
+ Verify = orber_tb:keysearch(ssl_client_verify, Options,
+ orber_env:ssl_client_verify()),
+ Depth = orber_tb:keysearch(ssl_client_depth, Options,
+ orber_env:ssl_client_depth()),
+ Cert = orber_tb:keysearch(ssl_client_certfile, Options,
+ orber_env:ssl_client_certfile()),
+ CaCert = orber_tb:keysearch(ssl_client_cacertfile, Options,
+ orber_env:ssl_client_cacertfile()),
+ Pwd = orber_tb:keysearch(ssl_client_password, Options,
+ orber_env:ssl_client_password()),
+ Key = orber_tb:keysearch(ssl_client_keyfile, Options,
+ orber_env:ssl_client_keyfile()),
+ Ciphers = orber_tb:keysearch(ssl_client_ciphers, Options,
+ orber_env:ssl_client_ciphers()),
+ Timeout = orber_tb:keysearch(ssl_client_cachetimeout, Options,
+ orber_env:ssl_client_cachetimeout()),
+ KeepAlive = orber_tb:keysearch(ssl_server_cachetimeout, Options,
+ orber_env:iiop_ssl_out_keepalive()),
+ [{verify, Verify},
+ {depth, Depth},
+ {certfile, Cert},
+ {cacertfile, CaCert},
+ {password, Pwd},
+ {keyfile, Key},
+ {ciphers, Ciphers},
+ {cachetimeout, Timeout},
+ {keepalive, KeepAlive}];
+ Opts ->
+ case orber_tb:check_illegal_tcp_options(Opts) of
+ ok ->
+ check_old_ssl_client_options(Options),
+ Opts;
+ {error, IllegalOpts} ->
+ error_logger:error_report([{application, orber},
+ "TCP options not allowed to set on a connection",
+ IllegalOpts]),
+ error("Illegal TCP option")
+ end
+ end,
+ ssl_client_extra_options(SSLOpts, []);
get_ssl_socket_options([_|T]) ->
get_ssl_socket_options(T).
+
ssl_client_extra_options([], Acc) ->
Acc;
ssl_client_extra_options([{_Type, []}|T], Acc) ->
@@ -814,6 +852,36 @@ init_interceptors(Host, Port, {SHost, SPort}) ->
%% Either 'false' or {Type, PIs}.
Other
end.
+
+
+check_old_ssl_client_options(Options) ->
+ try
+ 0 = orber_tb:keysearch(ssl_client_verify, Options,
+ orber_env:ssl_client_verify()),
+ 1 = orber_tb:keysearch(ssl_client_depth, Options,
+ orber_env:ssl_client_depth()),
+ [] = orber_tb:keysearch(ssl_client_certfile, Options,
+ orber_env:ssl_client_certfile()),
+ [] = orber_tb:keysearch(ssl_client_cacertfile, Options,
+ orber_env:ssl_client_cacertfile()),
+ [] = orber_tb:keysearch(ssl_client_password, Options,
+ orber_env:ssl_client_password()),
+ [] = orber_tb:keysearch(ssl_client_keyfile, Options,
+ orber_env:ssl_client_keyfile()),
+ [] = orber_tb:keysearch(ssl_client_ciphers, Options,
+ orber_env:ssl_client_ciphers()),
+ infinity = orber_tb:keysearch(ssl_client_cachetimeout, Options,
+ orber_env:ssl_client_cachetimeout()),
+ false = orber_tb:keysearch(iiop_ssl_out_keepalive, Options,
+ orber_env:iiop_ssl_out_keepalive())
+
+ catch
+ _:_ ->
+ error_logger:warning_report([{application, orber},
+ "Ignoring deprecated ssl client options used together with the ssl_client_opts"])
+ end.
+
+
%%-----------------------------------------------------------------
diff --git a/lib/orber/src/orber_socket.erl b/lib/orber/src/orber_socket.erl
index ec2cf8f42a..07a0e09ccc 100644
--- a/lib/orber/src/orber_socket.erl
+++ b/lib/orber/src/orber_socket.erl
@@ -14,8 +14,7 @@
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
-%% %CopyrightEnd%
+%%%% %CopyrightEnd%
%%
%%
%%-----------------------------------------------------------------
@@ -37,7 +36,7 @@
%%-----------------------------------------------------------------
-export([start/0, connect/4, listen/3, listen/4, accept/2, accept/3, write/3,
controlling_process/3, close/2, peername/2, sockname/2,
- peerdata/2, peercert/2, sockdata/2, setopts/3,
+ peerdata/2, peercert/2, sockdata/2, setopts/3,
clear/2, shutdown/3, post_accept/2, post_accept/3]).
%%-----------------------------------------------------------------
@@ -75,8 +74,6 @@ connect(Type, Host, Port, Options) ->
case Type of
normal ->
[{keepalive, orber_env:iiop_out_keepalive()}|Options1];
- _ when Generation > 2 ->
- [{keepalive, orber_env:iiop_ssl_out_keepalive()}|Options1];
_ ->
Options1
end,
@@ -251,8 +248,7 @@ listen(ssl, Port, Options, Exception) ->
end,
Options4 = if
Generation > 2 ->
- [{reuseaddr, true},
- {keepalive, orber_env:iiop_ssl_in_keepalive()}|Options3];
+ [{reuseaddr, true} |Options3];
true ->
Options3
end,
@@ -362,8 +358,8 @@ peercert(ssl, Socket) ->
ssl:peercert(Socket);
peercert(Type, _Socket) ->
orber:dbg("[~p] orber_socket:peercert(~p);~n"
- "Only available for SSL sockets.",
- [?LINE, Type], ?DEBUG_LEVEL),
+ "Only available for SSL sockets.",
+ [?LINE, Type], ?DEBUG_LEVEL),
{error, ebadsocket}.
%%-----------------------------------------------------------------
diff --git a/lib/orber/src/orber_tb.erl b/lib/orber/src/orber_tb.erl
index e6d5ee4400..cce95f7237 100644
--- a/lib/orber/src/orber_tb.erl
+++ b/lib/orber/src/orber_tb.erl
@@ -39,7 +39,8 @@
-compile({no_auto_import,[error/2]}).
-export([wait_for_tables/1, wait_for_tables/2, wait_for_tables/3,
is_loaded/0, is_loaded/1, is_running/0, is_running/1,
- info/2, error/2, unique/1, keysearch/2, keysearch/3]).
+ info/2, error/2, unique/1, keysearch/2, keysearch/3,
+ check_illegal_tcp_options/1]).
%%----------------------------------------------------------------------
%% Internal exports
@@ -179,6 +180,38 @@ error(Format, Args) ->
Args).
+
+
+
+%%----------------------------------------------------------------------
+%% function : check_illegal_tcp_options/1
+%% Arguments:
+%% Returns :
+%% Exception:
+%% Effect :
+%%----------------------------------------------------------------------
+check_illegal_tcp_options(Options) ->
+ check_illegal_tcp_options(Options, []).
+
+check_illegal_tcp_options([],[]) ->
+ ok;
+check_illegal_tcp_options([],IllegalOpts) ->
+ {error, IllegalOpts};
+check_illegal_tcp_options([{active, V} |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[{active, V} |IllegalOpts]);
+check_illegal_tcp_options([{packet, V} |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[{packet, V} |IllegalOpts]);
+check_illegal_tcp_options([{mode, V} |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[{mode, V} |IllegalOpts]);
+check_illegal_tcp_options([list |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[list |IllegalOpts]);
+check_illegal_tcp_options([binary |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[binary |IllegalOpts]);
+check_illegal_tcp_options([{reuseaddr, V} |T], IllegalOpts) ->
+ check_illegal_tcp_options(T,[{reuseaddr, V} |IllegalOpts]);
+check_illegal_tcp_options([H|T], IllegalOpts) ->
+ check_illegal_tcp_options(T, IllegalOpts).
+
%%----------------------------------------------------------------------
%% Internal functions
%%----------------------------------------------------------------------