Written by

Senior Development Manager at InterSystems Corporation
Question Timothy Leavitt · Mar 8, 2019

Quick way to check if an SSL/TLS configuration name is valid?

Is there a quick way to see if an SSL/TLS configuration name is valid, short of switching over to %SYS and checking Security.SSLConfigs:Exists?

Comments

Robert Cemper · Mar 8, 2019

Hi Tim

write $d(^|"%SYS"|SYS("Security","SSLConfigsD",<my config> ),settings)

provided you have access rights

Cheers, Robert

0
Timothy Leavitt  Mar 8, 2019 to Robert Cemper

Hi Robert,

Access rights are part of my concern. You can connect using an SSL/TLS configuration without having read permission on %DB_CACHESYS (or the IRIS equivalent).

0
Robert Cemper  Mar 11, 2019 to Vitaliy Serdtsev

OK Vitaly !

It happens under cover  (from: ^%SYS.SECURITY1.int

Set $zt="SSLConfigError"
'($e($roles,1,$l("%All"))="%All") $ET,$roles $ET="",$roles=$roles_","_"%All"}
  $namespace
Do $zu(5,"%SYS")

 
0
Vitaliy Serdtsev  Mar 11, 2019 to Robert Cemper

Hi Robert.

Exactly.

Programmatically Managing Roles:

This command can only be invoked either from a routine that is part of the CACHESYS database or if the current privileges held include Write permission for the CACHESYS database (%DB_CACHESYS:W).

Note that setting $ROLES only alters a process’s added roles, not its login roles.

There is a third way, but I specifically did not publish it.

0
Eduard Lebedyuk · Mar 9, 2019

You can try to write to a TCP device with SSL. Doesn't require additional permissions:

ClassMethod Exists(ssl As %String) As %Boolean
{
	#dim exists As %Boolean = $$$YES
	set host = "google.com"
	set port = 443
	set timeout = 1
	
	set io = $io
	
	set device = "|TCP|" _ ##class(%PopulateUtils).Integer(5000, 10000)
	try {
		open device:(host:port:/SSL=ssl):timeout	
		use device
		
		// real check
		write "GET /" _ $c(10),*-3
		// real check - end
		
		// should be HTTP/1.0 200 OK but we don't really care
		//read response:timeout
		//write response
	} catch ex {
		set exists = $$$NO
	}
	
	use io
	
	close device
	
	
	quit exists
}

It's slower than direct global check but if you want to do it rarely,  I think it could be okay. Doesn't require additional permissions.

Code to compare times:


ClassMethod ExistGlobal(ssl) [ CodeMode = expression ]
{
$d(^|"%SYS"|SYS("Security","SSLConfigsD",ssl))#10
}

/// do ##class().Compare()
ClassMethod Compare(count = 1, ssl = "GitHub")
{
    Write "Iterations: ", count,!
    Write "Config exists: ", ..Exists(ssl),!

    set start = $zh
    for i=1:1:count {
        set exists = ..Exists(ssl)
    }
    
    set end = $zh
    
    set time = end - start
    Write "Device check: ", time,!
    
    set start = $zh
    for i=1:1:count {
        set exists = ..ExistGlobal(ssl)
    }
    
    set end = $zh
    
    set time2 = end - start
    write "Global check: ", time2,!
}

Results:

Iterations: 1
Config exists: 1
Device check: .054983
Global check: .000032

Iterations: 1
Config exists: 0
Device check: .017351
Global check: .00001

Iterations: 50
Config exists: 1
Device check: 2.804497
Global check: .000097

Iterations: 50
Config exists: 0
Device check: .906424
Global check: .000078
0
Vitaliy Serdtsev · Mar 11, 2019

Below are two ways without additional permissions on %DB_CACHESYS:

  <FONT COLOR="#0000ff">#include </FONT><FONT COLOR="#000000">%systemInclude
  </FONT><FONT COLOR="#0000ff">n
  try</FONT><FONT COLOR="#800080">{

    </FONT><FONT COLOR="#0000ff">s </FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">=</FONT><FONT COLOR="#008000">"Test"

    </FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#008000">"1) GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)"</FONT><FONT COLOR="#000000">,!!     </FONT><FONT COLOR="#0000ff">w $$</FONT><FONT COLOR="#ff0000">Test1</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">)          </FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#000000">!!,</FONT><FONT COLOR="#008000">"2) $$ListSSLConfigs^%SYS.SECURITY(Client/Server)"</FONT><FONT COLOR="#000000">,!!     </FONT><FONT COLOR="#0000ff">w $$</FONT><FONT COLOR="#ff0000">Test2</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">)        </FONT><FONT COLOR="#800080">}</FONT><FONT COLOR="#0000ff">catch</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">ex</FONT><FONT COLOR="#000000">)</FONT><FONT COLOR="#800080">{     </FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#008000">"Error "</FONT><FONT COLOR="#000000">, </FONT><FONT COLOR="#800000">ex</FONT><FONT COLOR="#000000">.</FONT><FONT COLOR="#0000ff">DisplayString</FONT><FONT COLOR="#000000">(),!   </FONT><FONT COLOR="#800080">}

</FONT><FONT COLOR="#ff0000">Test1</FONT><FONT COLOR="#000000">(ssl) </FONT><FONT COLOR="#800080">{   </FONT><FONT COLOR="#0000ff">d </FONT><FONT COLOR="#ff0000">GetSSLConfigList</FONT><FONT COLOR="#000000">^%SYS.SECURITY1(.</FONT><FONT COLOR="#800000">SSLConfigs</FONT><FONT COLOR="#000000">)   </FONT><FONT COLOR="#0000ff">f </FONT><FONT COLOR="#800000">i</FONT><FONT COLOR="#000000">=1:1:</FONT><FONT COLOR="#800000">SSLConfigs </FONT><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">:</FONT><FONT COLOR="#800000">SSLConfigs</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">i</FONT><FONT COLOR="#000000">)=</FONT><FONT COLOR="#800000">ssl </FONT><FONT COLOR="#0000ff">$$$YES   q $$$NO </FONT><FONT COLOR="#800080">}

</FONT><FONT COLOR="#ff0000">Test2</FONT><FONT COLOR="#000000">(ssl) </FONT><FONT COLOR="#800080">{   </FONT><FONT COLOR="#0000ff">q </FONT><FONT COLOR="#000000">''</FONT><FONT COLOR="#0000ff">$lf</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#0000ff">$lfs</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#0000ff">$$</FONT><FONT COLOR="#ff0000">ListSSLConfigs</FONT><FONT COLOR="#000000">^%SYS.SECURITY(</FONT><FONT COLOR="#008000">"Client"</FONT><FONT COLOR="#000000">)</FONT><FONT COLOR="#008000">","</FONT><FONT COLOR="#000000">                </FONT><FONT COLOR="#0000ff">$$</FONT><FONT COLOR="#ff0000">ListSSLConfigs</FONT><FONT COLOR="#000000">^%SYS.SECURITY(</FONT><FONT COLOR="#008000">"Server"</FONT><FONT COLOR="#000000">))           ,</FONT><FONT COLOR="#800000">ssl</FONT><FONT COLOR="#000000">) </FONT><FONT COLOR="#800080">}</FONT>

0