Enable omniORB TLS encryption
At the CyberSecurity meeting in Lund (March 2024) we had a talk about omniORB and its encryption possibilities 1. Branch 2 implements a PoC that enforces TLS connections for all clients and servers.
To be able to integrate that properly the following tasks have to be finished:
-
The TLS encryption in omniORB requires that omniORB has TLS support enabled. If enabled, the library libomnisslTP.[so|dylib] will be available on the system. MR 3 implements a new target which needs to be added to the cppTango dependencies. -
Certificate locations for CA, server and client certificates need to be configurable: -
The tangorc config file -
Three new environment variables (one for each certificate) -
Two new command line arguments (only for Server, CA and server cert)
-
-
When a certificate expires openSSL will automaticallt close a connection. omniORB will automatically attempt to reestablish the connection. The reconnect will only be successful if the expired certificate has been replaced with a new certificate of the same name. Duncan said that it is unclear if the reconnect would automatically recorgnise the new certificate or if a call to ssl_reinit
would be necessary. This needs to be confirmed.