From ec84c0b4d707a5b5cb3dd09b32adf73f01060a93 Mon Sep 17 00:00:00 2001 From: jparisu <69341543+jparisu@users.noreply.github.com> Date: Fri, 17 Sep 2021 11:52:12 +0200 Subject: [PATCH] Fixing TLS Exceptions and Example (#2173) * Fixing HelloWorldExampleTCP certificates Signed-off-by: jparisu * regenerate certificates Signed-off-by: jparisu * Add try catch to probable fails in asio calls Signed-off-by: jparisu --- .../DDS/HelloWorldExampleTCP/CMakeLists.txt | 6 +- .../HelloWorldPublisher.cpp | 4 +- .../HelloWorldSubscriber.cpp | 3 +- .../{README.txt => README.md} | 37 +++++++--- examples/C++/DDS/HelloWorldExampleTCP/ca.cnf | 14 ++++ examples/C++/DDS/HelloWorldExampleTCP/ca.pem | 49 ------------- .../C++/DDS/HelloWorldExampleTCP/cacert.pem | 14 ++++ .../C++/DDS/HelloWorldExampleTCP/cacert.srl | 1 + .../C++/DDS/HelloWorldExampleTCP/cakey.pem | 8 +++ .../C++/DDS/HelloWorldExampleTCP/dh2048.pem | 12 ++-- .../C++/DDS/HelloWorldExampleTCP/server.cnf | 14 ++++ .../C++/DDS/HelloWorldExampleTCP/server.csr | 10 +++ .../C++/DDS/HelloWorldExampleTCP/server.pem | 71 ------------------- .../DDS/HelloWorldExampleTCP/servercert.pem | 14 ++++ .../DDS/HelloWorldExampleTCP/serverkey.pem | 8 +++ .../rtps/transport/TCPTransportInterface.cpp | 54 ++++++++++++-- .../rtps/transport/TCPTransportInterface.h | 4 +- 17 files changed, 175 insertions(+), 148 deletions(-) rename examples/C++/DDS/HelloWorldExampleTCP/{README.txt => README.md} (52%) create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/ca.cnf delete mode 100644 examples/C++/DDS/HelloWorldExampleTCP/ca.pem create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/cacert.pem create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/cacert.srl create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/cakey.pem create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/server.cnf create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/server.csr delete mode 100644 examples/C++/DDS/HelloWorldExampleTCP/server.pem create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/servercert.pem create mode 100644 examples/C++/DDS/HelloWorldExampleTCP/serverkey.pem diff --git a/examples/C++/DDS/HelloWorldExampleTCP/CMakeLists.txt b/examples/C++/DDS/HelloWorldExampleTCP/CMakeLists.txt index 4aff8b516fb..18b4e77af2e 100644 --- a/examples/C++/DDS/HelloWorldExampleTCP/CMakeLists.txt +++ b/examples/C++/DDS/HelloWorldExampleTCP/CMakeLists.txt @@ -51,9 +51,9 @@ file(GLOB DDS_TCP_HELLOWORLD_EXAMPLE_SOURCES_CPP "*.cpp") configure_file("HelloWorldSubscriber.xml" "HelloWorldSubscriber.xml" COPYONLY) configure_file("HelloWorldPublisher.xml" "HelloWorldPublisher.xml" COPYONLY) configure_file("dh2048.pem" "dh2048.pem" COPYONLY) -configure_file("server.pem" "server.pem" COPYONLY) -configure_file("ca.pem" "ca.pem" COPYONLY) - +configure_file("serverkey.pem" "serverkey.pem" COPYONLY) +configure_file("servercert.pem" "servercert.pem" COPYONLY) +configure_file("cacert.pem" "cacert.pem" COPYONLY) add_executable(DDSHelloWorldExampleTCP ${DDS_TCP_HELLOWORLD_EXAMPLE_SOURCES_CXX} ${DDS_TCP_HELLOWORLD_EXAMPLE_SOURCES_CPP}) target_compile_definitions(DDSHelloWorldExampleTCP PRIVATE diff --git a/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldPublisher.cpp b/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldPublisher.cpp index 48f17b4174c..cefef7f5f3f 100644 --- a/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldPublisher.cpp +++ b/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldPublisher.cpp @@ -68,8 +68,8 @@ bool HelloWorldPublisher::init( using TLSOptions = TCPTransportDescriptor::TLSConfig::TLSOptions; descriptor->apply_security = true; descriptor->tls_config.password = "test"; - descriptor->tls_config.cert_chain_file = "server.pem"; - descriptor->tls_config.private_key_file = "server.pem"; + descriptor->tls_config.cert_chain_file = "servercert.pem"; + descriptor->tls_config.private_key_file = "serverkey.pem"; descriptor->tls_config.tmp_dh_file = "dh2048.pem"; descriptor->tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS); descriptor->tls_config.add_option(TLSOptions::SINGLE_DH_USE); diff --git a/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldSubscriber.cpp b/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldSubscriber.cpp index aa853b6b600..8776ef85a11 100644 --- a/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldSubscriber.cpp +++ b/examples/C++/DDS/HelloWorldExampleTCP/HelloWorldSubscriber.cpp @@ -82,8 +82,7 @@ bool HelloWorldSubscriber::init( using TLSVerifyMode = TCPTransportDescriptor::TLSConfig::TLSVerifyMode; using TLSOptions = TCPTransportDescriptor::TLSConfig::TLSOptions; descriptor->apply_security = true; - descriptor->tls_config.password = "test"; - descriptor->tls_config.verify_file = "ca.pem"; + descriptor->tls_config.verify_file = "cacert.pem"; descriptor->tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER; descriptor->tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS); } diff --git a/examples/C++/DDS/HelloWorldExampleTCP/README.txt b/examples/C++/DDS/HelloWorldExampleTCP/README.md similarity index 52% rename from examples/C++/DDS/HelloWorldExampleTCP/README.txt rename to examples/C++/DDS/HelloWorldExampleTCP/README.md index bb6b9dea569..881ae39c3d0 100644 --- a/examples/C++/DDS/HelloWorldExampleTCP/README.txt +++ b/examples/C++/DDS/HelloWorldExampleTCP/README.md @@ -1,13 +1,21 @@ +# TCP HELLO WORLD + +## How to run it + To launch this test open two different consoles: In the first one launch: ./DDSHelloWorldExampleTCP publisher (or DDSHelloWorldExampleTCP.exe publisher on windows). In the second one: ./DDSHelloWorldExampleTCP subscriber (or DDSHelloWorldExampleTCP.exe subscriber on windows). - This example includes additional options to show the capabilities of the TCP Transport on Fast DDS, such as WAN and TLS. In this example the publisher will work as a TCP server and the subscriber as a TCP client. +## Arguments + +First argument is `publisher` or `subscriber` and then the rest of arguments are read unordered + +```sh Usage: DDSHelloWorldExampleTCP General options: @@ -26,19 +34,32 @@ Subscriber options: -a
, --address=
IP Address of the publisher (Default: 127.0.0.1). -p , --port= Physical Port where the publisher is listening for connections (Default: 5100). +``` +## WAN Example -WAN Example: +```sh +# Public WAN address and port of this host (port must be open in router) +DDSHelloWorldExampleTCP publisher -a 80.88.150.120 -p 5500 -DDSHelloWorldExampleTCP publisher -a -p -DDSHelloWorldExampleTCP subscriber -a -p +# Public WAN address and port of the publisher +DDSHelloWorldExampleTCP subscriber -a 80.88.150.120 -p 5500 +``` - For example: - DDSHelloWorldExampleTCP publisher -a 80.88.150.120 -p 5500 - DDSHelloWorldExampleTCP subscriber -a 80.88.150.120 -p 5500 +## TLS Example +```sh +# Generate CA certificate +openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out cakey.pem -passout pass:cakey # Generate CA private key +openssl req -new -x509 -sha256 -key cakey.pem -out cacert.pem -days 3650 -config ca.cnf -passin pass:cakey # Generate CA certificate -TLS Example: +# Generate server certificate +openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out serverkey.pem -passout pass:test # Generate server private key +openssl req -new -sha256 -key serverkey.pem -out server.csr -config server.cnf -passin pass:test # Generate server certificate request +openssl x509 -req -in server.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out servercert.pem -days 1000 -sha256 -passin pass:cakey # Generate signed server certiticate +openssl dhparam -out dh2048.pem 2048 # Generate Diffie-Hellman parameters +# Launch in localhost DDSHelloWorldExampleTCP publisher -t DDSHelloWorldExampleTCP subscriber -t +``` diff --git a/examples/C++/DDS/HelloWorldExampleTCP/ca.cnf b/examples/C++/DDS/HelloWorldExampleTCP/ca.cnf new file mode 100644 index 00000000000..9126e71cefc --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/ca.cnf @@ -0,0 +1,14 @@ +# Configuration file for CA request + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +countryName = ES +stateOrProvinceName = MA +localityName = Madrid +organizationName = eProsima +organizationalUnitName = eProsima +commonName = HelloWorldExampleTCP +emailAddress = ca@eprosima.com diff --git a/examples/C++/DDS/HelloWorldExampleTCP/ca.pem b/examples/C++/DDS/HelloWorldExampleTCP/ca.pem deleted file mode 100644 index 1ee5f2ca43b..00000000000 --- a/examples/C++/DDS/HelloWorldExampleTCP/ca.pem +++ /dev/null @@ -1,49 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDlzCCAn+gAwIBAgIJAMJYU3U6A0IRMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV -BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChME -YXNpbzAeFw0xNTExMTgyMjMzNDhaFw0yMDExMTYyMjMzNDhaMDsxCzAJBgNVBAYT -AkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChMEYXNp -bzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcRJocHdVMdLUJ/pypY -QVSTC0t3IIgjwjazrK3kAaoIMvzPmDFxEXWcDx+nyz8kQ/E38Ir/ef2BCNGci5hu -wkfMSuMoW9l2N4hx3QCcF46tTDEZztFxWAH7QbE2wYMlMgKZSxWimNfq0YjxEEXb -QM0lGPLFh7Xoko29H0F3LKaaQV9u/vop3Hs0h12HeWlY4PiLp7QQTNGqbWcXycA0 -NZ/fyismireyEvPAgo6L8iXuAi7g0TVKVNlrticGGjMcMq6IMvxzEpSMkuMQ5rWj -pZjWOoBjSYBuXdblcBRvXhOr2Ws8jJLMZfehKq9q1reQfoGV6xMnbwmumSXbWRWT -0vkCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUK/Zv/AVtfIeucJw8VEtux1dhI1YwawYD -VR0jBGQwYoAUK/Zv/AVtfIeucJw8VEtux1dhI1ahP6Q9MDsxCzAJBgNVBAYTAkFV -MQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChMEYXNpb4IJ -AMJYU3U6A0IRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABLYXimq -v/HLyIJi7Xn8AJUsICj8LKF/J24nwwiF+ibf7UkoChJURs4nN78bod/lpDVPTEVl -gTBdV/vBJs416sCEFfsGjqB9OBYj4gb0VaJDsQd0+NMvXp0faKv2y9wgScxG9/cg -aM7eRmyfMn1qjb6tpNxVOPpe/nFi8Vx/1orejBRaZr4zF5TkoPepfwLWQeXDUIdE -+QHZ60jZAkR5RXTVU4u3kOKcJs839pmJYyxM4H2VxpR18vy4/YdIVWkREIUM2OgT -5iznIQIIgR56QRGP85uef+I6n0BHzrBk6du69bkQFxrFjLVGlal4bIQqSg4KGWgx -dEdymMWzmMxpO9s= ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAxxEmhwd1Ux0tQn+nKlhBVJMLS3cgiCPCNrOsreQBqggy/M+Y -MXERdZwPH6fLPyRD8Tfwiv95/YEI0ZyLmG7CR8xK4yhb2XY3iHHdAJwXjq1MMRnO -0XFYAftBsTbBgyUyAplLFaKY1+rRiPEQRdtAzSUY8sWHteiSjb0fQXcspppBX27+ -+incezSHXYd5aVjg+IuntBBM0aptZxfJwDQ1n9/KKyaKt7IS88CCjovyJe4CLuDR -NUpU2Wu2JwYaMxwyrogy/HMSlIyS4xDmtaOlmNY6gGNJgG5d1uVwFG9eE6vZazyM -ksxl96Eqr2rWt5B+gZXrEydvCa6ZJdtZFZPS+QIDAQABAoIBAQCOma+SvPoDzvvU -DiPOxqgOEMPfjHfGbm86xl0luBalGfiEd6WbjVanfGKtF4MWOUFec+chez+FJMEP -fufVC0qrKiJfNVMOpYvEd2SMgkSx1VymM8me6WXVDYsSipn2+1cm228ZEYAR9Emj -oqQ4loaGLlP/3RaJbhBF7ruMJvXaZZQ4fZy74Z4tyRaaE1B659ua7Rjne7eNhQE8 -cR7cQDkxsNNN3LTbfLRwEc/gcDXWgLe5JlR/K4ZrdKc3lyivm+Uew3ubKs+fgkyY -kHmuI3RJGIjpnsZW0/So+pHm3b/fo6lmlhTXtNNd+tkkKn2K9ttbXT3Sc13Pc+4w -c4MLyUpdAoGBAOxTtGDpeF6U4s+GPuOCzHCwKQyzfOyCL/UTZv1UJX7Kn1FYycJH -eOjtBRtS661cGkGd1MPfjdX2VV84AmBGDUmRqJ2KfTI1NjLAEJ115ANTpmSTm3lF -UYncgbzl6aflLpjE1mgY+JTJykYeN5jhhO0r2bsdY7S+zaMCSI5NLuznAoGBANej -aMtqLg2qKoq+fUkNBHHLXelR5dBXFnKgSrTj++H4yeW9pYbl8bK3gTF3I5+dSjHW -DdC4+X09iPqY7p8vm8Gq/vgO8Bu+EnKNVr80PJSj7AzFGd6mk/CVrAzoY2XJWbAp -YFwpo1WfHjS5wBfQzBlXY7kWVB7fj32kk14PYmUfAoGBAJXfd7NGHPoOfdCSGGv8 -VV7ZuQ6+/WiYH4XS6iuaI7VHFsZmAn3dCcbeGbD8Y04r7NLUH0yhB7g7YmTihk87 -3c1cPIy8eS1QJbEFsQPK8fFSKWH7YkwEM/O0DesX+5hodaaYnkiiHXNujYLuQuAH -lV87wfcyajsEDjFkj1L/i9TdAoGBAKYfRUQv8HqmdU+doHb+iEYCHb75UMpHzQtR -YTwpxoo3V5Kdnz9lNeYwaF7rIY59ZgMunEYHumw5U6V625nW228/hF0lZOR6cUu+ -hu2WGHWKMvdDgMJ+IcpeA8WN4cUwcN+9gHZ/vUzg4CxOTSYLvLBpGnIkOXnvUGPC -vaTgxTSRAoGBAOHcuZ9hcUrPuVI1HVkjQQLu5mLZ3tz6linEbe/RCdJMK8JrRX4w -ubB7gFclMYGbLlDNAJVYkydJaCy/2NAI3rfsOda+VmDqGx6z4BbSGceHhomyU1Oo -1H7YaXsuzDkzl23HRsyp0pKJpTdghZdbVsGF8vAB8ygK3ehM233neSln ------END RSA PRIVATE KEY----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/cacert.pem b/examples/C++/DDS/HelloWorldExampleTCP/cacert.pem new file mode 100644 index 00000000000..1c4e7ba7b7e --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/cacert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHDCCAcMCFFq98e6WB07/LRzoPiRhKKhb/7MEMAoGCCqGSM49BAMCMIGQMQsw +CQYDVQQGEwJFUzELMAkGA1UECAwCTUExDzANBgNVBAcMBk1hZHJpZDERMA8GA1UE +CgwIZVByb3NpbWExETAPBgNVBAsMCGVQcm9zaW1hMR0wGwYDVQQDDBRIZWxsb1dv +cmxkRXhhbXBsZVRDUDEeMBwGCSqGSIb3DQEJARYPY2FAZXByb3NpbWEuY29tMB4X +DTIxMDkwMjA5MTc0NVoXDTMxMDgzMTA5MTc0NVowgZAxCzAJBgNVBAYTAkVTMQsw +CQYDVQQIDAJNQTEPMA0GA1UEBwwGTWFkcmlkMREwDwYDVQQKDAhlUHJvc2ltYTER +MA8GA1UECwwIZVByb3NpbWExHTAbBgNVBAMMFEhlbGxvV29ybGRFeGFtcGxlVENQ +MR4wHAYJKoZIhvcNAQkBFg9jYUBlcHJvc2ltYS5jb20wWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAARFyDEGg6TqrVzusJNcKuUNjEGExpSJbI6FHdBUZNN341OTKaB0 +RB2+ecUlau/SQl8IWGyMLqY67SXXFuaxXFiaMAoGCCqGSM49BAMCA0cAMEQCIEEm +nhtnxFYZZGME0n0TXMQ//l7YKAxNqwB+SEVtCFtUAiAutaLfgULUHXNVWGrwdSBv +U2UfxqP9GlUn8j2d9wKINA== +-----END CERTIFICATE----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/cacert.srl b/examples/C++/DDS/HelloWorldExampleTCP/cacert.srl new file mode 100644 index 00000000000..05174b1fee2 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/cacert.srl @@ -0,0 +1 @@ +68A89E556EDA2C2E2F39D8D3ABA444472A752A82 diff --git a/examples/C++/DDS/HelloWorldExampleTCP/cakey.pem b/examples/C++/DDS/HelloWorldExampleTCP/cakey.pem new file mode 100644 index 00000000000..790d9a1e722 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/cakey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,4F7DF4A082727997AA40B6EFF455C2D8 + +8+TN9DOTv43cAT0a1kItggowBeb5iR2wFnkDlus82Lw2FsQjeROreee/hehYgEKA +9jY38PBjM9Qnf5TxfnDLfv3V1lUdWvvMDZoaawnFfq5tAR2pAhG0TMMgq/NCLN8n +QRMg9M6o6nwUsWjXt+rDw8N529ygRCdiCGWefBjzgo0= +-----END EC PRIVATE KEY----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/dh2048.pem b/examples/C++/DDS/HelloWorldExampleTCP/dh2048.pem index 07250cca62f..36606933cdb 100644 --- a/examples/C++/DDS/HelloWorldExampleTCP/dh2048.pem +++ b/examples/C++/DDS/HelloWorldExampleTCP/dh2048.pem @@ -1,8 +1,8 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEAyNnxZSYc6J89mDNnqOH8bnwBiAJxcaUS3PkIEcwW8D9o2BlNq6EO -XKMIbdfwPFZi80GMpNu3YP2A2B42sAHmb7w7ZA92QDv3JjqzR0QuS/CkMv4CEjha -QBFwBDDWnnHBSj4w/t54ii0SH34mWcjBItI2eMtnM9J6fnvNiWqJxdt4iA4mZjZD -qZTjIRyjgKAevzkqAlBqQRoVUUgu+9Cf29wXjVl3bE+0VU5CdFeyT+Y9yunz88mq -rGyx1uPt+zbIfxuNLH+coY67y1ht7iZEL5WLd3wGCycRT+lYy2AL/rxGBPxStFIT -2bOkQao6sAfb4UdGEUlwHUXZrAV51oM30wIBAg== +MIIBCAKCAQEAzKWNcIHi8oJ5656EvNkHVkYFnIO2ZT6ecvEo41Eve83zQVvwsSOC +QdSS90K7kSVAvpN3S1HNuG1+CaW4CnLNXahPxtRF/vqeUx/mm5E1yvfMnTC2v5EQ +2kLnji1P0hYtYpEqki+qOyt4NqkRp303/6nonvSudZGe95RkJcLoQZTKR6hcemS4 +sb2wY/HJ3SlZemk0S0N+UQxiHZVR+IqTuaEk2eOH+HjzQtkcei29xrDOQIHGIrM/ +ZdJ/vsa2TFtTilGj6Qa/o/nrQxz9JkV370UDmCZffrY7NNbIc6BUZ3zLtZsLcVDg +ibDsASO89bSdi1K3C2GoWq/5Jb5+lwsZWwIBAg== -----END DH PARAMETERS----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/server.cnf b/examples/C++/DDS/HelloWorldExampleTCP/server.cnf new file mode 100644 index 00000000000..27b8796e995 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/server.cnf @@ -0,0 +1,14 @@ +# Configuration file for CA request + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +countryName = ES +stateOrProvinceName = MA +localityName = Madrid +organizationName = eProsima +organizationalUnitName = eProsima +commonName = HelloWorldExampleTCP +emailAddress = server@eprosima.com diff --git a/examples/C++/DDS/HelloWorldExampleTCP/server.csr b/examples/C++/DDS/HelloWorldExampleTCP/server.csr new file mode 100644 index 00000000000..6511f6d5540 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/server.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBUTCB9wIBADCBlDELMAkGA1UEBhMCRVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQH +DAZNYWRyaWQxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEd +MBsGA1UEAwwUSGVsbG9Xb3JsZEV4YW1wbGVUQ1AxIjAgBgkqhkiG9w0BCQEWE3Nl +cnZlckBlcHJvc2ltYS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDsPIt +BSj/9N+DjujflOxl9AnDWyFEgHnRl2EkcypoFKGnZ19IhUv4c5Cj93VuerI5z7Lp +/RiyzUmcCFzdT86coAAwCgYIKoZIzj0EAwIDSQAwRgIhAOQ6ceJsMp+xBsvHw08o +FMTNXmKc9D/rSIqzQkc+FNQ4AiEAsooXFk29SwGbPtuttiN+jUIR1CsD4shhe611 ++caIn8I= +-----END CERTIFICATE REQUEST----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/server.pem b/examples/C++/DDS/HelloWorldExampleTCP/server.pem deleted file mode 100644 index 37ea6e26715..00000000000 --- a/examples/C++/DDS/HelloWorldExampleTCP/server.pem +++ /dev/null @@ -1,71 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDAzCCAesCCQD9QcRiWk0y9TANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJB -VTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxDTALBgNVBAoTBGFzaW8w -HhcNMTUxMTE4MjIzNzMxWhcNMjAxMTE2MjIzNzMxWjBMMQswCQYDVQQGEwJBVTEM -MAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxDTALBgNVBAoTBGFzaW8xDzAN -BgNVBAsTBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALr0 -+NXSklsGJR7HYHP/H4V5+KpYrmFKva/K7iiqi+XyWEjGnj+/iImJW26phhg9GouN -JJxdrP7/0LwpMsEC/9v09dMNAEewtYhPgD4kiUH/E/79wVmayMZZZGrpF9Rw+wWv -q58y3L1wKge3qilX6slVDdNhqU3vBiMKEJfsjE4PKcEVjPCjVJG2562eHK9FxyjQ -DykyH61lQKBQOiElilPQKzAO7U36yTvs+chWuUfK47B8EC+PJ5KcLEppli4ljlwE -w01HnGxwvjDLobKm2jL6CWi3aYGWudyTsNAd7YC5C7psktBypQLBcfp7uUrrR5Bb -PEjFHJUWIlyoYvm2OjMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAtceVW6tixFsB -ZRhjL5aRCcbx2iMwEXd54lcP6BWe1qOcDPHoSYI1zvvGzohbEvBfqUv78S9MtzaT -gMe5rIU9M1ZM09PyaM6ZutGpKHE8L4qcOslTt41GQFsSqPFdcbgSV20MvBzjGayR -AI/WV0avW3oasdetJPZCR7bRbCbMbWTgclUfv5F25ENcR+BhNuilfL15owL0s4sS -Wb4jOOHhXV9iXeS2dH0snFqv4BmQ9ZoA7zbM9lG3EU5DuxHESYkCnzJyEqqY3vWv -PFRViCxLp5LQLmkTQ3dglVQA4x6ZaonaewdPtdhjkLUuIqDvQx5+kIaOELbSws+c -bREYlnGrFw== ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,D459676347D389E9135496D8AAFA7953 - -wbrjxr9NHur8kgxDsgXOY9qFGKpONIQLxkuahUrDD/H+s/l7ugsLWOPsOXbjNL/7 -QYUBAx85HKm9D8BQ5g78Y82qfArap3/3IIuysDfQDh4fQodhVtmGTFiCOvudlGEp -lq1niQRLThlxeRoFphH8KKiOTO9a/d8tdL7zRmiFwnVnhK4014mgVmgcSefA1AF5 -RbJAeMclUKddG6ltQK00ptg84CDXiMWQXFBGGmQ1av2lyFzC+xLP+qDqZAYTM9lZ -NFRo2oEZP1ozfOVNSbXTanJgZ0DSSmhGE1PcVrHSeE/v+k1kPh3oVKi9GV51kIDC -Zd9f/XltuDOzy1Ybn6gRy4nzNpzcwjSCIHEdSD5nxU5JfHfQ3OtnsEab7qf989iP -s2LbCSp5uGTMvfesMIkixIZAQp2FeahZTAgU2Vx+wi5Kks68rOqeywEfzACL/Um5 -7XZu8gDs4MgRRWnxK1BbJDPifICLvSJZvgB9FKX/hk4FHFF+MtcrkalehCuLooDV -3rfHNvRSbg7J97XQ3QC+k9ZDaumpy6n+LhaVv7BIJRBnBBtZ5Eg3DmPg6flqaHAU -Y/8d82wb/pCmbvR3B1/Ebgs84DPJ+uZnY9M5Iwx19oqlVSR2ts/Tx619LGAm+BiQ -7YDoC4CFmpAA8Uw0xnUbNgx94NdNmlnLeLtS50b0XlWpHKbVzmVbNYEjY6NHMlLt -aqxWHTYTa7g/c1bg2/nxF1Lbfu5VSTROGBUuer1c3yzVuyBrjcX92Jp4BJH78qOp -N6lY6MnH4HYRXHjzlt/S0ZzO0faPPe18Q8SWvnDVuE3fYzzL772B56d2t8eodc+/ -t6M3qJ60eXdsmgYOaPRLRUovN2xT2UUr0+biuguHyqfaVfcEU/adw+b9oUVE+5Nw -nZHI5qhPnhLxChyZqbBl68zMUyKlfff4OyLvRGpfcHwBw6DTGjduB+DDsqqkcIB9 -2VL6nps7ZVCwMPI18siUd6cttEOf6ZXrVqHg9wfDvJOlh2NNKNLxSAFubHc90Jlj -KejrWenXo2w6YkSUeTV4t4cWu7U8rXIkTJXDl1S6NO8DWqNDo5KjgJ2SK5NlSOJ7 -jgECn390ooneJOxxytPVQO2xppXQZZS65RHrvhB+ss5xUknly9q+ICyt6xTR9nqA -PKkeSE6qVY0J4JgFXpkgQxgwMnjSED3LKr3jlz28pr5cC6tsc5SSlekHjT2fcSrX -uccaVahaJRigf+q+4XzmJtdwbZU+YWGZRVMlQLA5yzPHQHDYkPpOeYU4WReND8S4 -TZRkPHaxOZ2lKQwJB93V8Vbt2MvwRy392452a33S4TcQLaWzoOljXjmZjrp2rvRz -prBaNe8LnO4V8Oliv+H+E0UWiWFDuI+HBy4X4O9plsbw/gk64Phl9qLiBwaX/AIR -66FXvC/czABo9oSt2jekcMtJofYr8Gr2bsJlt5ZX+GEOxz4jMv7xvz5/L3W7jVav -pHGIv4xfN9FrXzL47O7UuUF9xZg4Rp/fxwpgEDNZmX/3DnP0ewZQUcgUX0pdqNGQ -YVqJXcRF7KqG2NSQFuwPESZQnxU0WzSgRyUae7xg1WKfSuN8NVAzKhOgeqlD2IAo ------END RSA PRIVATE KEY----- ------BEGIN CERTIFICATE----- -MIIDlzCCAn+gAwIBAgIJAMJYU3U6A0IRMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV -BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChME -YXNpbzAeFw0xNTExMTgyMjMzNDhaFw0yMDExMTYyMjMzNDhaMDsxCzAJBgNVBAYT -AkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChMEYXNp -bzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcRJocHdVMdLUJ/pypY -QVSTC0t3IIgjwjazrK3kAaoIMvzPmDFxEXWcDx+nyz8kQ/E38Ir/ef2BCNGci5hu -wkfMSuMoW9l2N4hx3QCcF46tTDEZztFxWAH7QbE2wYMlMgKZSxWimNfq0YjxEEXb -QM0lGPLFh7Xoko29H0F3LKaaQV9u/vop3Hs0h12HeWlY4PiLp7QQTNGqbWcXycA0 -NZ/fyismireyEvPAgo6L8iXuAi7g0TVKVNlrticGGjMcMq6IMvxzEpSMkuMQ5rWj -pZjWOoBjSYBuXdblcBRvXhOr2Ws8jJLMZfehKq9q1reQfoGV6xMnbwmumSXbWRWT -0vkCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUK/Zv/AVtfIeucJw8VEtux1dhI1YwawYD -VR0jBGQwYoAUK/Zv/AVtfIeucJw8VEtux1dhI1ahP6Q9MDsxCzAJBgNVBAYTAkFV -MQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTENMAsGA1UEChMEYXNpb4IJ -AMJYU3U6A0IRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABLYXimq -v/HLyIJi7Xn8AJUsICj8LKF/J24nwwiF+ibf7UkoChJURs4nN78bod/lpDVPTEVl -gTBdV/vBJs416sCEFfsGjqB9OBYj4gb0VaJDsQd0+NMvXp0faKv2y9wgScxG9/cg -aM7eRmyfMn1qjb6tpNxVOPpe/nFi8Vx/1orejBRaZr4zF5TkoPepfwLWQeXDUIdE -+QHZ60jZAkR5RXTVU4u3kOKcJs839pmJYyxM4H2VxpR18vy4/YdIVWkREIUM2OgT -5iznIQIIgR56QRGP85uef+I6n0BHzrBk6du69bkQFxrFjLVGlal4bIQqSg4KGWgx -dEdymMWzmMxpO9s= ------END CERTIFICATE----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/servercert.pem b/examples/C++/DDS/HelloWorldExampleTCP/servercert.pem new file mode 100644 index 00000000000..fdca100b6a8 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/servercert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICIjCCAccCFGionlVu2iwuLznY06ukREcqdSqCMAoGCCqGSM49BAMCMIGQMQsw +CQYDVQQGEwJFUzELMAkGA1UECAwCTUExDzANBgNVBAcMBk1hZHJpZDERMA8GA1UE +CgwIZVByb3NpbWExETAPBgNVBAsMCGVQcm9zaW1hMR0wGwYDVQQDDBRIZWxsb1dv +cmxkRXhhbXBsZVRDUDEeMBwGCSqGSIb3DQEJARYPY2FAZXByb3NpbWEuY29tMB4X +DTIxMDkwMjA5MTc1NloXDTI0MDUyOTA5MTc1NlowgZQxCzAJBgNVBAYTAkVTMQsw +CQYDVQQIDAJNQTEPMA0GA1UEBwwGTWFkcmlkMREwDwYDVQQKDAhlUHJvc2ltYTER +MA8GA1UECwwIZVByb3NpbWExHTAbBgNVBAMMFEhlbGxvV29ybGRFeGFtcGxlVENQ +MSIwIAYJKoZIhvcNAQkBFhNzZXJ2ZXJAZXByb3NpbWEuY29tMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEw7DyLQUo//Tfg47o35TsZfQJw1shRIB50ZdhJHMqaBSh +p2dfSIVL+HOQo/d1bnqyOc+y6f0Yss1JnAhc3U/OnDAKBggqhkjOPQQDAgNJADBG +AiEAwDUUC7juRZ3u+GmfSN4dSFoMmIQOZ6NKsC8jl5cRSzkCIQD9XHHlpcPs9gal +CfGdVJAAK6nhnos2PvDNx2ukMv6Tyg== +-----END CERTIFICATE----- diff --git a/examples/C++/DDS/HelloWorldExampleTCP/serverkey.pem b/examples/C++/DDS/HelloWorldExampleTCP/serverkey.pem new file mode 100644 index 00000000000..2811cf94c54 --- /dev/null +++ b/examples/C++/DDS/HelloWorldExampleTCP/serverkey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,2AEC6E52327BCB608545A7F1AD7AE4EC + +dk8uVghPw/DYIcckr52+Vid5jR2aEooV3ZCpL/kX7gbFu+g2E+Z8q8hvwNYxQOuC +DY8jokqqqYT7oaWUQ+q5ZnUKg9aqhNObetVsG4Iel6F0lB3d7YZNynA5brKFm40v +BFLLaXMo4sz5hWBwftJSZqYeXBZX7H7ZsX+HvgIvHm4= +-----END EC PRIVATE KEY----- diff --git a/src/cpp/rtps/transport/TCPTransportInterface.cpp b/src/cpp/rtps/transport/TCPTransportInterface.cpp index d325905c2b5..31eb7970cf5 100644 --- a/src/cpp/rtps/transport/TCPTransportInterface.cpp +++ b/src/cpp/rtps/transport/TCPTransportInterface.cpp @@ -348,7 +348,12 @@ bool TCPTransportInterface::DoInputLocatorsMatch( bool TCPTransportInterface::init() { - apply_tls_config(); + if (!apply_tls_config()) + { + // TODO decide wether the Transport initialization should keep working after this error + logWarning(TLS, "Error configuring TLS, using TCP transport without security"); + } + if (configuration()->sendBufferSize == 0 || configuration()->receiveBufferSize == 0) { // Check system buffer sizes. @@ -1492,7 +1497,7 @@ void TCPTransportInterface::shutdown() { } -void TCPTransportInterface::apply_tls_config() +bool TCPTransportInterface::apply_tls_config() { #if TLS_FOUND const TCPTransportDescriptor* descriptor = configuration(); @@ -1513,22 +1518,54 @@ void TCPTransportInterface::apply_tls_config() if (!config->verify_file.empty()) { - ssl_context_.load_verify_file(config->verify_file); + try + { + ssl_context_.load_verify_file(config->verify_file); + } + catch(const std::exception& e) + { + logError(TLS, "Error configuring TLS trusted CA certificate: " << e.what()); + return false; // TODO check wether this should skip the rest of the configuration + } } if (!config->cert_chain_file.empty()) { - ssl_context_.use_certificate_chain_file(config->cert_chain_file); + try + { + ssl_context_.use_certificate_chain_file(config->cert_chain_file); + } + catch(const std::exception& e) + { + logError(TLS, "Error configuring TLS certificate: " << e.what()); + return false; // TODO check wether this should skip the rest of the configuration + } } if (!config->private_key_file.empty()) { - ssl_context_.use_private_key_file(config->private_key_file, ssl::context::pem); + try + { + ssl_context_.use_private_key_file(config->private_key_file, ssl::context::pem); + } + catch(const std::exception& e) + { + logError(TLS, "Error configuring TLS private key: " << e.what()); + return false; // TODO check wether this should skip the rest of the configuration + } } if (!config->tmp_dh_file.empty()) { - ssl_context_.use_tmp_dh_file(config->tmp_dh_file); + try + { + ssl_context_.use_tmp_dh_file(config->tmp_dh_file); + } + catch(const std::exception& e) + { + logError(TLS, "Error configuring TLS dh params: " << e.what()); + return false; // TODO check wether this should skip the rest of the configuration + } } if (!config->verify_paths.empty()) @@ -1572,6 +1609,10 @@ void TCPTransportInterface::apply_tls_config() { options |= ssl::context::no_sslv2; } + else + { + logWarning(TLS, "Allowing SSL 2.0. This version has known vulnerabilities."); + } if (config->get_option(TLSOptions::NO_SSLV3)) { @@ -1609,6 +1650,7 @@ void TCPTransportInterface::apply_tls_config() } } #endif // if TLS_FOUND + return true; } std::string TCPTransportInterface::get_password() const diff --git a/src/cpp/rtps/transport/TCPTransportInterface.h b/src/cpp/rtps/transport/TCPTransportInterface.h index 539a385f26d..790e3e20f4c 100644 --- a/src/cpp/rtps/transport/TCPTransportInterface.h +++ b/src/cpp/rtps/transport/TCPTransportInterface.h @@ -175,8 +175,10 @@ class TCPTransportInterface : public TransportInterface /** * Applies TLS configuration to ssl_context + * + * @return true if everything worked fine, false otherwise. */ - void apply_tls_config(); + bool apply_tls_config(); /** * Aux method to retrieve cert password as a callback