Big check in. Glacier client authentication (certificate verification) has

    been added, SSL logging has been removed, a few clean-ups have taken
    place. Getting ready for SSL Extension refactoring.

1 files changed, 279 insertions, 139 deletions

diff --git a/cpp/src/Ice/SslSystemOpenSSL.cpp b/cpp/src/Ice/SslSystemOpenSSL.cpp
index b7013614d4b..c3ac40dd945 100644
--- a/cpp/src/Ice/SslSystemOpenSSL.cpp
+++ b/cpp/src/Ice/SslSystemOpenSSL.cpp
@@ -28,20 +28,23 @@
 #include <openssl/err.h>
 #include <openssl/e_os.h>
 #include <openssl/rand.h>
-#include <Ice/OpenSSL.h>

+#include <Ice/OpenSSL.h>
 #include <Ice/SslSystem.h>
 #include <Ice/SecurityException.h>
 #include <Ice/SslConnectionOpenSSLClient.h>
 #include <Ice/SslConnectionOpenSSLServer.h>
-#include <Ice/SslConfig.h>

-#include <Ice/SslRSAKeyPair.h>

-#include <Ice/SslJanitors.h>

+#include <Ice/SslConfig.h>
+#include <Ice/SslRSAKeyPair.h>
+#include <Ice/SslRSAPublicKey.h>
+#include <Ice/SslJanitors.h>
 #include <Ice/SslCertificateVerifierOpenSSL.h>
 
 #include <Ice/TraceLevels.h>
 #include <Ice/Logger.h>
 
 using namespace std;
+using IceInternal::TraceLevelsPtr;
+using Ice::LoggerPtr;
 
 namespace IceSecurity
 {
@@ -84,7 +87,7 @@ unsigned char System::_tempDiffieHellman512g[] =
 // will initialize these.  NOTE: If we SHOULD have multiple loggers
 // going on simultaneously, this will definitely cause a problem.
 TraceLevelsPtr System::_globalTraceLevels = 0;
-Ice::LoggerPtr System::_globalLogger = 0;
+LoggerPtr System::_globalLogger = 0;
 
 }
 
@@ -103,7 +106,7 @@ tmpRSACallback(SSL *s, int isExport, int keyLength)
 {
     IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s);
 
-    IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;

+    IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
     openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get());
 
     RSA* rsaKey = openSslSystem->getRSAKey(s, isExport, keyLength);
@@ -116,7 +119,7 @@ tmpDHCallback(SSL *s, int isExport, int keyLength)
 {
     IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s);
 
-    IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;

+    IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
     openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get());
 
     DH* dh = openSslSystem->getDHParams(s, isExport, keyLength);
@@ -128,18 +131,30 @@ tmpDHCallback(SSL *s, int isExport, int keyLength)
 int
 verifyCallback(int ok, X509_STORE_CTX *ctx)
 {
-    // Tricky method to get access to our connection.  I would use SSL_get_ex_data() to get

-    // the Connection object, if only I had some way to retrieve the index of the object

-    // in this function.  Hence, we have to invent our own reference system here.

-    SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));

-    IceSecurity::Ssl::OpenSSL::ConnectionPtr connection = 0;

-    connection = IceSecurity::Ssl::OpenSSL::Connection::getConnection(ssl);

-    assert(connection);

-

-    // Call the connection, get it to perform the verification.

+    // Tricky method to get access to our connection.  I would use SSL_get_ex_data() to get
+    // the Connection object, if only I had some way to retrieve the index of the object
+    // in this function.  Hence, we have to invent our own reference system here.
+    SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+    IceSecurity::Ssl::OpenSSL::ConnectionPtr connection = 0;
+    connection = IceSecurity::Ssl::OpenSSL::Connection::getConnection(ssl);
+    assert(connection);
+
+    // Call the connection, get it to perform the verification.
     return connection->verifyCertificate(ok, ctx);
 }
 
+// TODO: This is a complete hack to get this working again with the CA certificate.
+//       Of course, this will have to be rewritten to handle this in the same manner
+//       as the verifyCallback does.
+//       -ASN
+int
+passwordCallback(char* buffer, int bufferSize, int rwFlag, void* userData)
+{
+    strncpy(buffer, "demo", bufferSize);
+    buffer[bufferSize - 1] = '\0';
+    return strlen(buffer);
+}
+
 // This code duplicates functionality that existed in the BIO library of
 // OpenSSL, but outputs to a Logger compatible source (ostringstream).
 void
@@ -236,21 +251,21 @@ bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret)
     {
         ostringstream outStringStream;
 
+        outStringStream << "PTC ";
+
         if (cmd == (BIO_CB_READ|BIO_CB_RETURN))
         {
-            outStringStream << "PTC ";
             outStringStream << "read from " << hex << (void *)bio << " [" << hex << (void *)argp;
             outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x";
             outStringStream << hex << ret << "))";
-            dump(outStringStream, argp,(int)ret);
+//            dump(outStringStream, argp,(int)ret);
         }
         else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
         {
-            outStringStream << "PTC ";
             outStringStream << "write to " << hex << (void *)bio << " [" << hex << (void *)argp;
             outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x";
             outStringStream << hex << ret << "))";
-            dump(outStringStream, argp,(int)ret);
+ //           dump(outStringStream, argp,(int)ret);
         }
 
         if (cmd == (BIO_CB_READ|BIO_CB_RETURN) || cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
@@ -352,48 +367,50 @@ IceSecurity::Ssl::OpenSSL::System::shutdown()
         iDH++;
     }
 }
-

-void

-IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels)

-{

-    // Note: Due to a known bug with VC++, I cannot simply call the base-class 

-    // implementation here, I get a C2352 error about calling a static function.

-    _traceLevels = traceLevels;

-

-    DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());

-    DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());

-

-    if (clientVerifier)

-    {

-        clientVerifier->setTraceLevels(traceLevels);

-    }

-

-    if (serverVerifier)

-    {

-        serverVerifier->setTraceLevels(traceLevels);

-    }

-}

-

-void

-IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger)

-{

-    // Note: Due to a known bug with VC++, I cannot simply call the base-class 

-    // implementation here, I get a C2352 error about calling a static function.

-    _logger = logger;

-

-    DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());

-    DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());

-

-    if (clientVerifier)

-    {

-        clientVerifier->setLogger(logger);

-    }

-

-    if (serverVerifier)

-    {

-        serverVerifier->setLogger(logger);

-    }

-}

+
+void
+IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels)
+{
+    // Note: Due to a known bug with VC++, I cannot simply call the base-class 
+    // implementation here, I get a C2352 error about calling a static function.
+    // Bug# Q153801
+    _traceLevels = traceLevels;
+
+    DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+    DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+    if (clientVerifier)
+    {
+        clientVerifier->setTraceLevels(traceLevels);
+    }
+
+    if (serverVerifier)
+    {
+        serverVerifier->setTraceLevels(traceLevels);
+    }
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger)
+{
+    // Note: Due to a known bug with VC++, I cannot simply call the base-class 
+    // implementation here, I get a C2352 error about calling a static function.
+    // Bug# Q153801
+    _logger = logger;
+
+    DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+    DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+    if (clientVerifier)
+    {
+        clientVerifier->setLogger(logger);
+    }
+
+    if (serverVerifier)
+    {
+        serverVerifier->setLogger(logger);
+    }
+}
 
 bool
 IceSecurity::Ssl::OpenSSL::System::isConfigLoaded()
@@ -429,8 +446,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
     // Walk the parse tree, get the Client configuration.
     if (sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts))
     {
-        if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)

-        {

+        if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+        {
             ostringstream s;
 
             s << endl;
@@ -438,11 +455,14 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
             s << "------------------------------" << endl;
             s << clientGeneral << endl << endl;
 
+            s << "CA File: " << clientCertAuth.getCAFileName() << endl;
+            s << "CA Path: " << clientCertAuth.getCAPath() << endl;
+
             s << "Base Certificates - Client" << endl;
             s << "--------------------------" << endl;
             s << clientBaseCerts << endl;
 
-            _logger->trace(_traceLevels->securityCat, s.str());

+            _logger->trace(_traceLevels->securityCat, s.str());
         }
 
         initClient(clientGeneral, clientCertAuth, clientBaseCerts);
@@ -456,8 +476,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
     // Walk the parse tree, get the Server configuration.
     if (sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts))
     {
-        if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)

-        {

+        if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+        {
             ostringstream s;
 
             s << endl;
@@ -465,6 +485,9 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
             s << "------------------------------" << endl;
             s << serverGeneral   << endl << endl;
 
+            s << "CA File: " << serverCertAuth.getCAFileName() << endl;
+            s << "CA Path: " << serverCertAuth.getCAPath() << endl;
+
             s << "Base Certificates - Server" << endl;
             s << "--------------------------" << endl;
             s << serverBaseCerts << endl << endl;
@@ -473,11 +496,13 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
             s << "--------------------------" << endl;
             s << serverTempCerts << endl;
 
-            _logger->trace(_traceLevels->securityCat, s.str());

+            _logger->trace(_traceLevels->securityCat, s.str());
         }
 
         initServer(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts);
     }
+
+    _configLoaded = true;
 }
 
 RSA*
@@ -597,6 +622,99 @@ IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLeng
     return dh_tmp;
 }
 
+IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr
+IceSecurity::Ssl::OpenSSL::System::certificateVerifierTypeCheck(const IceSecurity::Ssl::CertificateVerifierPtr& verifier)
+{
+    // IceSecurity::Ssl::CertificateVerifier* passedVerifier = verifier.get();
+    // IceSecurity::Ssl::OpenSSL::CertificateVerifier* castVerifier;
+    // castVerifier = dynamic_cast<IceSecurity::Ssl::OpenSSL::CertificateVerifier*>(passedVerifier);
+
+    IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr castVerifier;
+    castVerifier = IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr::dynamicCast(verifier);
+
+    if (!castVerifier.get())
+    {
+        IceSecurity::Ssl::CertificateVerifierTypeException cvtEx(__FILE__, __LINE__);
+        throw cvtEx;
+    }
+
+    return castVerifier;
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& serverVerifier)
+{
+    _serverVerifier = certificateVerifierTypeCheck(serverVerifier);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& clientVerifier)
+{
+    _clientVerifier = certificateVerifierTypeCheck(clientVerifier);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerCertAuthorityCertificate(const string& caCertString)
+{
+    if (_sslServerContext == 0)
+    {
+        ContextException contextEx(__FILE__, __LINE__);
+
+        contextEx._message = "Server context has not been set up - ";
+        contextEx._message += "please specify an SSL server configuration file.";
+
+	throw contextEx;
+    }
+
+    assert(_sslClientContext);
+
+    RSAPublicKey pubKey(caCertString);
+
+    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslServerContext);
+
+    int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+
+    assert(addedCertAuthorityCert != 0);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientCertAuthorityCertificate(const string& caCertString)
+{
+    if (_sslClientContext == 0)
+    {
+        ContextException contextEx(__FILE__, __LINE__);
+
+        contextEx._message = "Client context has not been set up - ";
+        contextEx._message += "please specify an SSL client configuration file.";
+
+	throw contextEx;
+    }
+
+    assert(_sslClientContext);
+
+    RSAPublicKey pubKey(caCertString);
+
+    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslClientContext);
+
+    int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+
+    assert(addedCertAuthorityCert != 0);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerRSAKeysBase64(const std::string& privateKey, const std::string& publicKey)
+{
+    assert(_sslServerContext);
+    addKeyCert(_sslServerContext, privateKey, publicKey);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientRSAKeysBase64(const std::string& privateKey, const std::string& publicKey)
+{
+    assert(_sslClientContext);
+    addKeyCert(_sslClientContext, privateKey, publicKey);
+}
+
 //
 // Protected
 //
@@ -610,12 +728,12 @@ IceSecurity::Ssl::OpenSSL::System::System()
     _randSeeded = 0;
     _sslServerContext = 0;
     _sslClientContext = 0;
-

-    // Here we create a default verifier, which does very little other

-    // than check the verification depth.  This can be overridden.

-    _clientVerifier = new DefaultCertificateVerifier();

-    _serverVerifier = _clientVerifier;

-

+
+    // Here we create a default verifier, which does very little other
+    // than check the verification depth.  This can be overridden.
+    _clientVerifier = new DefaultCertificateVerifier();
+    _serverVerifier = _clientVerifier;
+
     SSL_load_error_strings();
 
     OpenSSL_add_ssl_algorithms();
@@ -666,7 +784,7 @@ IceSecurity::Ssl::OpenSSL::System::initClient(GeneralConfig& general,
         // Set the certificate verification mode.
         SSL_CTX_set_verify(_sslClientContext, general.getVerifyMode(), verifyCallback);
 
-        // Set the certificate verify depth to 10 deep.
+        // Set the certificate verify depth
         SSL_CTX_set_verify_depth(_sslClientContext, general.getVerifyDepth());
 
         // Process the RSA Certificate
@@ -747,8 +865,8 @@ IceSecurity::Ssl::OpenSSL::System::initServer(GeneralConfig& general,
         SSL_CTX_set_verify(_sslServerContext, general.getVerifyMode(), verifyCallback);
 
         // Set the certificate verify depth
-        SSL_CTX_set_verify_depth(_sslServerContext, general.getVerifyDepth());

-

+        SSL_CTX_set_verify_depth(_sslServerContext, general.getVerifyDepth());
+
         // Set the default context for the SSL system (can be overridden if needed) [SERVER ONLY].
         SSL_CTX_set_session_id_context(_sslServerContext,
                                        reinterpret_cast<const unsigned char *>(_sessionContext.c_str()),
@@ -789,15 +907,15 @@ IceSecurity::Ssl::OpenSSL::System::getSslMethod(SslProtocol sslVersion)
 
         default :
         {
-            if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)

-            { 

-                string errorString;

-

-                errorString = "SSL Version ";

-                errorString += sslVersion;

-                errorString += " not supported - defaulting to SSL_V23.";

-                _logger->trace(_traceLevels->securityCat, "WRN " + errorString);

-            }

+            if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+            { 
+                string errorString;
+
+                errorString = "SSL Version ";
+                errorString += sslVersion;
+                errorString += " not supported - defaulting to SSL_V23.";
+                _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+            }
 
             sslMethod   = SSLv23_method();
         }
@@ -845,10 +963,10 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
 
         if (privateKey.getFileName().empty())
         {
-            if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)

-            { 

-                _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");

-            }

+            if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+            { 
+                _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+            }
 
             privKeyFile = publicFile;
             privKeyFileType = publicEncoding;
@@ -896,21 +1014,21 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
 
     if (privKey.empty())
     {
-        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)

-        { 

-            _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");

-        }

+        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+        { 
+            _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+        }
 
         privKey = publicKey;
     }
-

-    // Make a key pair based on the Base64 encoded strings

-    RSAKeyPair keyPair(privateKey, publicKey);

-

-    // Janitors to ensure that everything gets cleaned up properly

-    RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());

-    X509Janitor x509Janitor(keyPair.getX509PublicKey());

-

+
+    // Make a key pair based on the Base64 encoded strings
+    RSAKeyPair keyPair(privateKey, publicKey);
+
+    // Janitors to ensure that everything gets cleaned up properly
+    RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());
+    X509Janitor x509Janitor(keyPair.getX509PublicKey());
+
     // Set which Public Key file to use.
     if (SSL_CTX_use_certificate(sslContext, x509Janitor.get()) <= 0)
     {
@@ -928,6 +1046,8 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
         throw contextEx;
     }
 
+    x509Janitor.clear();
+
     // Set which Private Key file to use.
     if (SSL_CTX_use_RSAPrivateKey(sslContext, rsaJanitor.get()) <= 0)
     {
@@ -944,7 +1064,9 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
 
         throw contextEx;
     }
-

+
+    rsaJanitor.clear();
+
     // Check to see if the Private and Public keys that have been
     // set against the SSL context match up.
     if (!SSL_CTX_check_private_key(sslContext))
@@ -1032,7 +1154,7 @@ IceSecurity::Ssl::OpenSSL::System::sslGetErrors()
 }
 
 void
-IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection)
+IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(IceSecurity::Ssl::OpenSSL::Connection* connection)
 {
     connection->setTrace(_traceLevels);
     connection->setLogger(_logger);
@@ -1044,8 +1166,7 @@ IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection)
 
     if (!value.empty())
     {
-	// const_cast<int&>(handshakeReadTimeout) = atoi(value.c_str());
-	handshakeReadTimeout = atoi(value.c_str());

+	handshakeReadTimeout = atoi(value.c_str());
     }
     else
     {
@@ -1073,19 +1194,13 @@ IceSecurity::Ssl::OpenSSL::System::createConnection(SSL_CTX* sslContext, int soc
         BIO_set_callback_arg(SSL_get_rbio(sslConnection), 0);
     }
 
-    // TODO: Remove?

-    // Map the SSL Connection to this SslSystem
-    // This is required for the OpenSSL callbacks
-    // to work properly.
-    // Factory::addSystemHandle(sslConnection, this);
-
     return sslConnection;
 }
 
 void
 IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth)
-{

-    assert(sslContext);

+{
+    assert(sslContext);
 
     string caFile = certAuth.getCAFileName();
     string caPath = certAuth.getCAPath();
@@ -1097,7 +1212,7 @@ void
 IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char* caFile, const char* caPath)
 {
     assert(sslContext);
-

+
     // The following checks are required to send the expected values to the OpenSSL library.
     // It does not like receiving "", but prefers NULLs.
     if ((caFile != 0) && (strlen(caFile) == 0))
@@ -1110,15 +1225,27 @@ IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char*
         caPath = 0;
     }
 
+    // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback);
+
     // Check the Certificate Authority file(s).
-    if ((!SSL_CTX_load_verify_locations(sslContext, caFile, caPath)) ||
-        (!SSL_CTX_set_default_verify_paths(sslContext)))
+    int loadVerifyRet = SSL_CTX_load_verify_locations(sslContext, caFile, caPath);
+
+    if (!loadVerifyRet)
+    { 
+        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+        {
+            _logger->trace(_traceLevels->securityCat, "WRN Unable to load Certificate Authorities.");
+        }
+    }
+    else
     {
-        // Non Fatal.
-        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)

-        { 

-            _logger->trace(_traceLevels->securityCat, "WRN Unable to load/verify Certificate Authorities.");

-        }

+        int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(sslContext);
+
+
+        if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
+        { 
+            _logger->trace(_traceLevels->securityCat, "WRN Unable to verify Certificate Authorities.");
+        }
     }
 }
 
@@ -1126,22 +1253,33 @@ void
 IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth)
 {
     assert(sslContext);
-

+
     string caFile = certAuth.getCAFileName();
     string caPath = certAuth.getCAPath();
 
     // Check the Certificate Authority file(s).
     loadCAFiles(sslContext, caFile.c_str(), caPath.c_str());
 
-    if (!caPath.empty())
+    // NOTE: This might require some cleaning up.
+    string caCertBase64 = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.CACertificate");
+    if (!caCertBase64.empty())
+    {
+        setServerCertAuthorityCertificate(caCertBase64);
+    }
+
+    // TODO: Check this if things stop working
+    if (!caFile.empty())
     {
         STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
 
-        if ((certNames == 0) && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
+        if (certNames == 0)
         {
-            string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
-            errorString += sslGetErrors();
-            _logger->trace(_traceLevels->securityCat, "WRN " + errorString);

+            if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+            {
+                string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
+                errorString += sslGetErrors();
+                _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+            }
         }
         else
         {
@@ -1153,7 +1291,7 @@ IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, Cert
 DH*
 IceSecurity::Ssl::OpenSSL::System::loadDHParam(const char* dhfile)
 {
-    assert(dhfile);

+    assert(dhfile);
 
     DH* ret = 0;
     BIO* bio;
@@ -1207,6 +1345,8 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
     string dhFile;
     int encoding = 0;
 
+    // TODO: This just looks plain wrong.  RSA instead of DH params??? -ASN
+
     if (baseCerts.getDHParams().getKeySize() != 0)
     {
         dhFile = baseCerts.getDHParams().getFileName();
@@ -1229,11 +1369,11 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
 
     if (dh == 0)
     {
-        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)

-        { 

-            _logger->trace(_traceLevels->securityCat,

-                           "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");

-        }

+        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+        { 
+            _logger->trace(_traceLevels->securityCat,
+                           "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
+        }
 
         dh = getTempDH512();
     }
@@ -1249,12 +1389,12 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
 void
 IceSecurity::Ssl::OpenSSL::System::setCipherList(SSL_CTX* sslContext, const string& cipherList)
 {
-    if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) &&

+    if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) &&
         (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
     {
         string errorString = "WRN Error setting cipher list " + cipherList + " - using default list.\n";
         errorString += sslGetErrors();
-        _logger->trace(_traceLevels->securityCat, errorString);

+        _logger->trace(_traceLevels->securityCat, errorString);
     }
 }
 
@@ -1335,11 +1475,11 @@ IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles)
     {
         long randBytesLoaded = 0;
 
-        if (!seedRand() && randBytesFiles.empty() && !RAND_status() &&

+        if (!seedRand() && randBytesFiles.empty() && !RAND_status() &&
             (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
         {
-            _logger->trace(_traceLevels->securityCat,

-                           "WRN There is a lack of random data, consider specifying a random data file.");

+            _logger->trace(_traceLevels->securityCat,
+                           "WRN There is a lack of random data, consider specifying a random data file.");
         }
 
         if (!randBytesFiles.empty())