Programming IceSSL in Other Languages

Although IceSSL's native plug-in API is only available to programs written in C++, C#, Java and Swift, you can still obtain some useful information in other languages.

On this page:

Obtaining SSL Connection Information

You can obtain information about any SSL connection using the getInfo operation on a Connection object. IceSSL defines the following types in Slice:

Slice
module Ice
{
    local class ConnectionInfo
    {
        ConnectionInfo underlying;
        bool incoming;
        string adapterName;
        string connectionId;
    }
}

module IceSSL
{
    local class ConnectionInfo extends Ice::ConnectionInfo
    {
        string cipher;
        Ice::StringSeq certs;
        bool verified;
    }
}

For an SSL connection, getInfo returns an instance of the subclass IceSSL::ConnectionInfo.

The certs member contains the peer's certificate chain, represented here as a sequence of strings containing the PEM-encoded certificates. The array is structured so that the first element is the peer's certificate, followed by its signing certificates in the order they appear in the chain, with the root CA certificate as the last element. The array is empty if the peer did not present a certificate chain.

The cipher member is a description of the ciphersuite that SSL negotiated for this connection. The verified member is false if IceSSL.VerifyPeer=0 and the certificate can't be trusted or, if IceSSL.CheckCertName > 0, the host name verification check failed. It's always true otherwise.

The inherited underlying data member contains the connection information of the underlying transport (if SSL is based on TCP, this member will contain an instance of Ice::TCPEndpointInfo which you can use to retrieve the remote and local addresses). The incoming member indicates whether the connection is inbound (a server connection) or outbound (a client connection). The connectionId data member matches the connection identifier set on the proxy. Finally, if incoming is true, the adapterName member supplies the name of the object adapter that hosts the endpoint.

Back to Top ^

Converting Certificates

The code samples below demonstrate how to convert the encoded certificates into certificate objects:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
...
info = proxy.ice_getConnection().getInfo()
if proxy.ice_isSecure(): # Only for a secure proxy
    certs = []
    for s in info.certs:
        certs.append(x509.load_pem_x509_certificate(bytes(s, "utf8"), default_backend()))

Python doesn't currently have any built-in modules for manipulating certificates, but the cryptography package offers one solution.

require 'openssl'
...
info = proxy.ice_getConnection().getInfo()
if proxy.ice_isSecure() # Only for a secure proxy
    certs = []
    for s in info.certs
        certs.push(OpenSSL::X509::Certificate.new(s))
    end
end
$info = $proxy->ice_getConnection()->getInfo();
if($proxy->ice_isSecure()) // Only for a secure proxy
{
    $certs = array();
    for($x = 0; $x < count($info->certs); $x++)
    {
        array_push($certs, openssl_x509_parse($info->certs[x]));
    }
}

Back to Top ^

See Also