Although IceSSL's native plug-in API is only available to programs written in C++, .NET and Java, you can still obtain some useful information in other languages.
On this page:
Obtaining SSL Connection Information
You can obtain information about any SSL connection using the getInfo
operation on a Connection
object. IceSSL defines the following types in Slice:
module Ice { local class ConnectionInfo { ConnectionInfo underlying; bool incoming; string adapterName; string connectionId; } } module IceSSL { local class ConnectionInfo extends Ice::ConnectionInfo { string cipher; Ice::StringSeq certs; bool verified; } }
For an SSL connection, getInfo
returns an instance of the subclass IceSSL::ConnectionInfo
.
The certs
member contains the peer's certificate chain, represented here as a sequence of strings containing the PEM-encoded certificates. The array is structured so that the first element is the peer's certificate, followed by its signing certificates in the order they appear in the chain, with the root CA certificate as the last element. The array is empty if the peer did not present a certificate chain.
The cipher
member is a description of the ciphersuite that SSL negotiated for this connection. The verified
member indicates whether IceSSL was able to successfully verify the peer's certificate.
The inherited underlying
data member contains the connection information of the underlying transport (if SSL is based on TCP, this member will contain an instance of Ice::TCPEndpointInfo
which you can use to retrieve the remote and local addresses). The incoming
member indicates whether the connection is inbound (a server connection) or outbound (a client connection). The connectionId
data member matches the connection identifier set on the proxy. Finally, if incoming
is true, the adapterName
member supplies the name of the object adapter that hosts the endpoint.
Converting Certificates
The code samples below demonstrate how to convert the encoded certificates into certificate objects:
from cryptography import x509 from cryptography.hazmat.backends import default_backend ... info = proxy.ice_getConnection().getInfo() if proxy.ice_isSecure(): # Only for a secure proxy certs = [] for s in info.certs: certs.append(x509.load_pem_x509_certificate(bytes(s, "utf8"), default_backend()))
Python doesn't currently have any built-in modules for manipulating certificates, but the cryptography
package offers one solution.
require 'openssl' ... info = proxy.ice_getConnection().getInfo() if proxy.ice_isSecure() # Only for a secure proxy certs = [] for s in info.certs certs.push(OpenSSL::X509::Certificate.new(s)) end end
$info = $proxy->ice_getConnection()->getInfo(); if($proxy->ice_isSecure()) // Only for a secure proxy { $certs = array(); for($x = 0; $x < count($info->certs); $x++) { array_push($certs, openssl_x509_parse($info->certs[x])); } }