Quick way to check if an SSL/TLS configuration name is valid?

Question

Question

Timothy Leavitt · Mar 8, 2019

Is there a quick way to see if an SSL/TLS configuration name is valid, short of switching over to %SYS and checking Security.SSLConfigs:Exists?

Discussion (7)2

Log in or sign up to continue

Eduard Lebedyuk · Mar 9, 2019

You can try to write to a TCP device with SSL. Doesn't require additional permissions:

ClassMethod Exists(ssl As %String) As %Boolean
{
	#dim exists As %Boolean = $$$YES
	set host = "google.com"
	set port = 443
	set timeout = 1
	
	set io = $io
	
	set device = "|TCP|" _ ##class(%PopulateUtils).Integer(5000, 10000)
	try {
		open device:(host:port:/SSL=ssl):timeout	
		use device
		
		// real check
		write "GET /" _ $c(10),*-3
		// real check - end
		
		// should be HTTP/1.0 200 OK but we don't really care
		//read response:timeout
		//write response
	} catch ex {
		set exists = $$$NO
	}
	
	use io
	
	close device
	
	
	quit exists
}

It's slower than direct global check but if you want to do it rarely, I think it could be okay. Doesn't require additional permissions.

Code to compare times:


ClassMethod ExistGlobal(ssl) [ CodeMode = expression ]
{
$d(^|"%SYS"|SYS("Security","SSLConfigsD",ssl))#10
}

/// do ##class().Compare()
ClassMethod Compare(count = 1, ssl = "GitHub")
{
    Write "Iterations: ", count,!
    Write "Config exists: ", ..Exists(ssl),!

    set start = $zh
    for i=1:1:count {
        set exists = ..Exists(ssl)
    }
    
    set end = $zh
    
    set time = end - start
    Write "Device check: ", time,!
    
    set start = $zh
    for i=1:1:count {
        set exists = ..ExistGlobal(ssl)
    }
    
    set end = $zh
    
    set time2 = end - start
    write "Global check: ", time2,!
}

Results:

Iterations: 1
Config exists: 1
Device check: .054983
Global check: .000032

Iterations: 1
Config exists: 0
Device check: .017351
Global check: .00001

Iterations: 50
Config exists: 1
Device check: 2.804497
Global check: .000097

Iterations: 50
Config exists: 0
Device check: .906424
Global check: .000078

1 0

Vitaliy Serdtsev · Mar 11, 2019

Below are two ways without additional permissions on %DB_CACHESYS:

  #include %systemInclude
  n
  try{

    s sslName="Test"

    w "1) GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)",!!
    w $$Test1(sslName)
    
    w !!,"2) $$ListSSLConfigs^%SYS.SECURITY(Client/Server)",!!
    w $$Test2(sslName)
    
  }catch(ex){
    w "Error ", ex.DisplayString(),!
  }

Test1(ssl) {
  d GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)
  f i=1:1:SSLConfigs return:SSLConfigs(i)=ssl $$$YES
  q $$$NO
}

Test2(ssl) {
  q ''$lf($lfs($$ListSSLConfigs^%SYS.SECURITY("Client")_","_
               $$ListSSLConfigs^%SYS.SECURITY("Server"))
          ,ssl)
}

1 0

score 0 · Answer 1 · 2019-03-08T10:59:05-05:00

Hi Tim

write $d(^|"%SYS"|SYS("Security","SSLConfigsD",<my config> ),settings)

provided you have access rights

Cheers, Robert

score 0 · Answer 2 · 2019-03-08T11:06:18-05:00

Hi Robert,

Access rights are part of my concern. You can connect using an SSL/TLS configuration without having read permission on %DB_CACHESYS (or the IRIS equivalent).

score 1 · Answer 3 · 2019-03-11T06:39:05-04:00

OK Vitaly !

It happens under cover (from: ^%SYS.SECURITY1.int)

Set $zt="SSLConfigError" i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"} n $namespace Do $zu(5,"%SYS")

score 1 · Answer 4 · 2019-03-08T11:18:46-05:00

In this case, you may create a Privileged Routine Application with the rights you need and the required code

calling it raises access rights just for this routine.

score 0 · Answer 5 · 2019-03-11T06:55:59-04:00

Hi Robert.

Exactly.

Programmatically Managing Roles:

This command can only be invoked either from a routine that is part of the CACHESYS database or if the current privileges held include Write permission for the CACHESYS database (%DB_CACHESYS:W).

Note that setting $ROLES only alters a process’s added roles, not its login roles.

There is a third way, but I specifically did not publish it.