Skip to content

Install a custom SSL context

Reiner Hauser requested to merge rhauser/ipc:ssl-context into master

In a global constructor install a custom SSL context. By default it falls back to the standard omni behaviour. If TDAQ_IPC_SSL_SERVER=1 it generates and self-signs its own certificate and put it into the SSL_CTX context.

In addition is sets ORBendPoint=giop:ssl:: in the environment if the variable is not already set.

Setting this variable is the only things that needs to be done on the server side.

Nothing needs to be done on the client side, since the verifyMode is set to 'none', ie. it will accept self signed certificates.

This means the SSL connection cannot be used for authentication, but this would be basically impossible anyway in our system (more on the Jira ticket).

The connection is still encrypted. Due to the non-authentication is is susceptible to man-in-the-middle attacks, but we actually need that possibility because that's exactly what the IPCGatewayProxy does...

Also adding @avolio

Edited by Reiner Hauser

Merge request reports