zeroc-ice 3.6b1 → 3.6.0

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -65,6 +65,19 @@ Init init;
 }
 #endif
 
+extern "C"
+{
+
+int
+IceSSL_opensslVerifyCallback(int ok, X509_STORE_CTX* ctx)
+{
+    SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+    TransceiverI* p = reinterpret_cast<TransceiverI*>(SSL_get_ex_data(ssl, 0));
+    return p->verifyCallback(ok, ctx);
+}
+
+}
+
 IceInternal::NativeInfoPtr
 IceSSL::TransceiverI::getNativeInfo()
 {
@@ -102,6 +115,35 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
             throw ex;
         }
         SSL_set_bio(_ssl, bio, bio);
+
+        //
+        // Store a pointer to ourself for use in OpenSSL callbacks.
+        //
+        SSL_set_ex_data(_ssl, 0, this);
+
+        //
+        // Determine whether a certificate is required from the peer.
+        //
+        {
+            int sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+            switch(_engine->getVerifyPeer())
+            {
+                case 0:
+                    sslVerifyMode = SSL_VERIFY_NONE;
+                    break;
+                case 1:
+                    sslVerifyMode = SSL_VERIFY_PEER;
+                    break;
+                case 2:
+                    sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+                    break;
+                default:
+                {
+                    assert(false);
+                }
+            }
+            SSL_set_verify(_ssl, sslVerifyMode, IceSSL_opensslVerifyCallback);
+        }
     }
 
     while(!SSL_is_init_finished(_ssl))
@@ -125,7 +167,6 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x100000bfL
         sync.release();
 #endif
-
         if(ret <= 0)
         {
             switch(SSL_get_error(_ssl, ret))
@@ -217,8 +258,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
             if(_engine->securityTraceLevel() >= 1)
             {
                 ostringstream ostr;
-                ostr << "IceSSL: ignoring certificate verification failure:\n"
-                     << X509_verify_cert_error_string(result);
+                ostr << "IceSSL: ignoring certificate verification failure:\n" << X509_verify_cert_error_string(result);
                 _instance->logger()->trace(_instance->traceCategory(), ostr.str());
             }
         }
@@ -236,7 +276,12 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
             throw ex;
         }
     }
-    _engine->verifyPeer(_stream->fd(), _host, getNativeConnectionInfo());
+    else
+    {
+        _verified = true;
+    }
+    
+    _engine->verifyPeer(_stream->fd(), _host, NativeConnectionInfoPtr::dynamicCast(getInfo()));
 
     if(_engine->securityTraceLevel() >= 1)
     {
@@ -529,7 +574,18 @@ IceSSL::TransceiverI::toDetailedString() const
 Ice::ConnectionInfoPtr
 IceSSL::TransceiverI::getInfo() const
 {
-    return getNativeConnectionInfo();
+    NativeConnectionInfoPtr info = new NativeConnectionInfo();
+    fillConnectionInfo(info, info->nativeCerts);
+    return info;
+}
+
+Ice::ConnectionInfoPtr
+IceSSL::TransceiverI::getWSInfo(const Ice::HeaderDict& headers) const
+{
+    WSSNativeConnectionInfoPtr info = new WSSNativeConnectionInfo();
+    fillConnectionInfo(info, info->nativeCerts);
+    info->headers = headers;
+    return info;
 }
 
 void
@@ -537,6 +593,57 @@ IceSSL::TransceiverI::checkSendSize(const IceInternal::Buffer&)
 {
 }
 
+void
+IceSSL::TransceiverI::setBufferSize(int rcvSize, int sndSize)
+{
+    _stream->setBufferSize(rcvSize, sndSize);
+}
+
+int
+IceSSL::TransceiverI::verifyCallback(int ok, X509_STORE_CTX* c)
+{
+    if(!ok && _engine->securityTraceLevel() >= 1)
+    {
+        X509* cert = X509_STORE_CTX_get_current_cert(c);
+        int err = X509_STORE_CTX_get_error(c);
+        char buf[256];
+
+        Trace out(_engine->getLogger(), _engine->securityTraceCategory());
+        out << "certificate verification failure\n";
+
+        X509_NAME_oneline(X509_get_issuer_name(cert), buf, static_cast<int>(sizeof(buf)));
+        out << "issuer = " << buf << '\n';
+        X509_NAME_oneline(X509_get_subject_name(cert), buf, static_cast<int>(sizeof(buf)));
+        out << "subject = " << buf << '\n';
+        out << "depth = " << X509_STORE_CTX_get_error_depth(c) << '\n';
+        out << "error = " << X509_verify_cert_error_string(err) << '\n';
+        out << IceInternal::fdToString(SSL_get_fd(_ssl));
+    }
+
+    //
+    // Initialize the native certs with the verified certificate chain. SSL_get_peer_cert_chain
+    // doesn't return the verified chain, it returns the chain sent by the peer.
+    //
+    STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(c);
+    if(chain != 0)
+    {
+        _nativeCerts.clear();
+        for(int i = 0; i < sk_X509_num(chain); ++i)
+        {
+            _nativeCerts.push_back(new Certificate(X509_dup(sk_X509_value(chain, i))));
+        }
+        sk_X509_pop_free(chain, X509_free);
+    }
+
+    //
+    // Always return 1 to prevent SSL_connect/SSL_accept from
+    // returning SSL_ERROR_SSL for verification failures. This ensure
+    // that we can raise SecurityException for verification failures
+    // rather than a ProtocolException.
+    //
+    return 1;
+}
+
 IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, const IceInternal::StreamSocketPtr& stream,
                                    const string& hostOrAdapterName, bool incoming) :
     _instance(instance),
@@ -545,6 +652,7 @@ IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, const IceInterna
     _adapterName(incoming ? hostOrAdapterName : ""),
     _incoming(incoming),
     _stream(stream),
+    _verified(false),
     _ssl(0)
 {
 }
@@ -553,55 +661,30 @@ IceSSL::TransceiverI::~TransceiverI()
 {
 }
 
-NativeConnectionInfoPtr
-IceSSL::TransceiverI::getNativeConnectionInfo() const
+void
+IceSSL::TransceiverI::fillConnectionInfo(const ConnectionInfoPtr& info, std::vector<CertificatePtr>& nativeCerts) const
 {
-    NativeConnectionInfoPtr info = new NativeConnectionInfo();
-    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress, 
+    IceInternal::fdToAddressAndPort(_stream->fd(), info->localAddress, info->localPort, info->remoteAddress,
                                     info->remotePort);
-
+    if(_stream->fd() != INVALID_SOCKET)
+    {
+        info->rcvSize = IceInternal::getRecvBufferSize(_stream->fd());
+        info->sndSize = IceInternal::getSendBufferSize(_stream->fd());
+    }
+    info->adapterName = _adapterName;
+    info->incoming = _incoming;
+    info->verified = _verified;
+    nativeCerts = _nativeCerts;
+    for(vector<CertificatePtr>::const_iterator p = _nativeCerts.begin(); p != _nativeCerts.end(); ++p)
+    {
+        info->certs.push_back((*p)->encode());
+    }
     if(_ssl != 0)
     {
-        //
-        // On the client side, SSL_get_peer_cert_chain returns the entire chain of certs.
-        // On the server side, the peer certificate must be obtained separately.
-        //
-        // Since we have no clear idea whether the connection is server or client side,
-        // the peer certificate is obtained separately and compared against the first
-        // certificate in the chain. If they are not the same, it is added to the chain.
-        //
-        X509* cert = SSL_get_peer_certificate(_ssl);
-        STACK_OF(X509)* chain = SSL_get_peer_cert_chain(_ssl);
-        if(cert != 0 && (chain == 0 || sk_X509_num(chain) == 0 || cert != sk_X509_value(chain, 0)))
-        {
-            CertificatePtr certificate = new Certificate(cert);
-            info->nativeCerts.push_back(certificate);
-            info->certs.push_back(certificate->encode());
-        }
-        else
-        {
-            X509_free(cert);
-        }
-
-        if(chain != 0)
-        {
-            for(int i = 0; i < sk_X509_num(chain); ++i)
-            {
-                //
-                // Duplicate the certificate since the stack comes straight from the SSL connection.
-                //
-                CertificatePtr certificate = new Certificate(X509_dup(sk_X509_value(chain, i)));
-                info->nativeCerts.push_back(certificate);
-                info->certs.push_back(certificate->encode());
-            }
-        }
-
         info->cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
     }
-
     info->adapterName = _adapterName;
     info->incoming = _incoming;
-    return info;
 }
 
 #endif

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -11,6 +11,7 @@
 #define ICE_SSL_TRANSCEIVER_I_H
 
 #include <IceSSL/Config.h>
+#include <IceSSL/Util.h>
 #include <IceSSL/InstanceF.h>
 #include <IceSSL/Plugin.h>
 #include <IceSSL/SSLEngineF.h>
@@ -18,6 +19,7 @@
 #include <Ice/Transceiver.h>
 #include <Ice/Network.h>
 #include <Ice/StreamSocket.h>
+#include <Ice/WSTransceiver.h>
 
 #ifdef ICE_USE_OPENSSL
 
@@ -30,7 +32,7 @@ namespace IceSSL
 class ConnectorI;
 class AcceptorI;
 
-class TransceiverI : public IceInternal::Transceiver
+class TransceiverI : public IceInternal::Transceiver, public IceInternal::WSTransceiverDelegate
 {
 public:
 
@@ -45,14 +47,18 @@ public:
     virtual std::string toString() const;
     virtual std::string toDetailedString() const;
     virtual Ice::ConnectionInfoPtr getInfo() const;
+    virtual Ice::ConnectionInfoPtr getWSInfo(const Ice::HeaderDict&) const;
     virtual void checkSendSize(const IceInternal::Buffer&);
+    virtual void setBufferSize(int rcvSize, int sndSize);
+
+    int verifyCallback(int , X509_STORE_CTX*);
 
 private:
 
     TransceiverI(const InstancePtr&, const IceInternal::StreamSocketPtr&, const std::string&, bool);
     virtual ~TransceiverI();
 
-    virtual NativeConnectionInfoPtr getNativeConnectionInfo() const;
+    void fillConnectionInfo(const ConnectionInfoPtr&, std::vector<CertificatePtr>&) const;
 
     friend class ConnectorI;
     friend class AcceptorI;
@@ -63,6 +69,8 @@ private:
     const std::string _adapterName;
     const bool _incoming;
     const IceInternal::StreamSocketPtr _stream;
+    bool _verified;
+    std::vector<CertificatePtr> _nativeCerts;
 
     SSL* _ssl;
 };

data/ext/ice/cpp/src/IceSSL/PluginI.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -12,7 +12,6 @@
 #include <IceSSL/SSLEngine.h>
 #include <IceSSL/EndpointI.h>
 
-#include <Ice/WSEndpoint.h>
 #include <Ice/ProtocolPluginFacade.h>
 #include <Ice/ProtocolInstance.h>
 #include <Ice/LocalException.h>
@@ -27,7 +26,7 @@ using namespace IceSSL;
 extern "C"
 {
 
-ICE_DECLSPEC_EXPORT Ice::Plugin*
+ICE_SSL_API Ice::Plugin*
 createIceSSL(const CommunicatorPtr& communicator, const string& /*name*/, const StringSeq& /*args*/)
 {
     return new PluginI(communicator);
@@ -38,28 +37,23 @@ createIceSSL(const CommunicatorPtr& communicator, const string& /*name*/, const
 //
 // Plugin implementation.
 //
-IceSSL::PluginI::PluginI(const Ice::CommunicatorPtr& communicator)
+IceSSL::PluginI::PluginI(const Ice::CommunicatorPtr& com)
 {
 #if defined(ICE_USE_SECURE_TRANSPORT)
-    _engine = new SecureTransportEngine(communicator);
+    _engine = new SecureTransportEngine(com);
 #elif defined(ICE_USE_SCHANNEL)
-    _engine = new SChannelEngine(communicator);
+    _engine = new SChannelEngine(com);
 #else
-    _engine = new OpenSSLEngine(communicator);
+    _engine = new OpenSSLEngine(com);
 #endif
-    
-    IceInternal::ProtocolPluginFacadePtr facade = IceInternal::getProtocolPluginFacade(communicator);
-    
+
     //
     // Register the endpoint factory. We have to do this now, rather
     // than in initialize, because the communicator may need to
     // interpret proxies before the plug-in is fully initialized.
     //
     IceInternal::EndpointFactoryPtr sslFactory = new EndpointFactoryI(new Instance(_engine, EndpointType, "ssl"));
-    facade->addEndpointFactory(sslFactory);
-    
-    IceInternal::ProtocolInstancePtr wss = new IceInternal::ProtocolInstance(communicator, WSSEndpointType, "wss");
-    facade->addEndpointFactory(new IceInternal::WSEndpointFactory(wss, sslFactory->clone(wss)));
+    IceInternal::getProtocolPluginFacade(com)->addEndpointFactory(sslFactory);
 }
 
 void

data/ext/ice/cpp/src/IceSSL/PluginI.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/RFC2253.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/RFC2253.h

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.

data/ext/ice/cpp/src/IceSSL/SChannelEngine.cpp

@@ -1,6 +1,6 @@
 // **********************************************************************
 //
-// Copyright (c) 2003-2014 ZeroC, Inc. All rights reserved.
+// Copyright (c) 2003-2015 ZeroC, Inc. All rights reserved.
 //
 // This copy of Ice is licensed to you under the terms described in the
 // ICE_LICENSE file included in this distribution.
@@ -31,7 +31,7 @@ Shared* IceSSL::upCast(IceSSL::SChannelEngine* p) { return p; }
 namespace
 {
 
-#   ifdef __MINGW32__
+#if defined(__MINGW32__) || (defined(_MSC_VER) && (_MSC_VER <= 1500))
 //
 // CERT_CHAIN_ENGINE_CONFIG struct in mingw headers doesn't include
 // new members added in Windows 7, we add our ouwn definition and
@@ -53,36 +53,63 @@ struct CertChainEngineConfig
     HCERTSTORE hExclusiveRoot;
     HCERTSTORE hExclusiveTrustedPeople;
 };
-#   endif
+
+#endif
 
 void
-addCertificateToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0)
+addCertificatesToStore(const string& file, HCERTSTORE store, PCCERT_CONTEXT* cert = 0)
 {
     vector<char> buffer;
     readFile(file, buffer);
-    vector<BYTE> outBuffer;
-    outBuffer.resize(buffer.size());
-    DWORD outLength = static_cast<DWORD>(outBuffer.size());
-
-    if(!CryptStringToBinary(&buffer[0], static_cast<DWORD>(buffer.size()), CRYPT_STRING_BASE64HEADER,
-                            &outBuffer[0], &outLength, 0, 0))
+    if(buffer.empty())
     {
-        //
-        // Base64 data should always be bigger than binary
-        //
-        assert(GetLastError() != ERROR_MORE_DATA);
-        throw PluginInitializationException(__FILE__, __LINE__,
-                                "IceSSL: error decoding certificate:\n" + lastErrorToString());
+        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + file);
     }
 
-    if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0],
-                                         outLength, CERT_STORE_ADD_NEW, cert))
+    string strbuf(buffer.begin(), buffer.end());
+    string::size_type size, startpos, endpos = 0;
+    bool first = true;
+    while(true)
     {
-        if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS))
+        startpos = strbuf.find("-----BEGIN CERTIFICATE-----", endpos);
+        if(startpos != string::npos)
+        {
+            endpos = strbuf.find("-----END CERTIFICATE-----", startpos);
+            size = endpos - startpos + sizeof("-----END CERTIFICATE-----");
+        }
+        else if(first)
         {
+            startpos = 0;
+            endpos = string::npos;
+            size = strbuf.size();
+        }
+        else
+        {
+            break;
+        }
+
+        vector<BYTE> outBuffer;
+        outBuffer.resize(size);
+        DWORD outLength = static_cast<DWORD>(outBuffer.size());
+        if(!CryptStringToBinary(&buffer[startpos], static_cast<DWORD>(size), CRYPT_STRING_ANY, &outBuffer[0],
+                                &outLength, 0, 0))
+        {
+            assert(GetLastError() != ERROR_MORE_DATA); // Base64 data should always be bigger than binary
             throw PluginInitializationException(__FILE__, __LINE__,
-                                "IceSSL: error decoding certificate:\n" + lastErrorToString());
+                                                "IceSSL: error decoding certificate:\n" + lastErrorToString());
         }
+
+        if(!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &outBuffer[0],
+                                             outLength, CERT_STORE_ADD_NEW, first ? cert : 0))
+        {
+            if(GetLastError() != static_cast<DWORD>(CRYPT_E_EXISTS))
+            {
+                throw PluginInitializationException(__FILE__, __LINE__,
+                                                    "IceSSL: error decoding certificate:\n" + lastErrorToString());
+            }
+        }
+
+        first = false;
     }
 }
 
@@ -189,16 +216,16 @@ SChannelEngine::initialize()
     defaultProtocols.push_back("tls1_0");
     defaultProtocols.push_back("tls1_1");
     defaultProtocols.push_back("tls1_2");
-    const_cast<DWORD&>(_protocols) = 
-                    parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols));
+    const_cast<DWORD&>(_protocols) =
+        parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols));
 
     //
     // Check for a default directory. We look in this directory for
     // files mentioned in the configuration.
     //
-    string defaultDir = properties->getProperty(prefix + "DefaultDir");
+    const string defaultDir = properties->getProperty(prefix + "DefaultDir");
 
-    int passwordRetryMax = properties->getPropertyAsIntWithDefault(prefix + "PasswordRetryMax", 3);
+    const int passwordRetryMax = properties->getPropertyAsIntWithDefault(prefix + "PasswordRetryMax", 3);
     PasswordPromptPtr passwordPrompt = getPasswordPrompt();
     setPassword(properties->getProperty(prefix + "Password"));
 
@@ -229,38 +256,50 @@ SChannelEngine::initialize()
         getLogger()->trace(securityTraceCategory(), os.str());
     }
 
-    string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "CurrentUser");
-    if(certStore != "CurrentUser" && certStore != "LocalMachine")
+    string certStoreLocation = properties->getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser");
+    if(certStoreLocation != "CurrentUser" && certStoreLocation != "LocalMachine")
     {
-        getLogger()->warning("Invalid IceSSL.CertStore value `" + certStore + "' adjusted to `CurrentUser'");
-        certStore = "CurrentUser";
+        getLogger()->warning("invalid IceSSL.CertStoreLocation value `" + certStoreLocation +
+                             "' adjusted to `CurrentUser'");
+        certStoreLocation = "CurrentUser";
     }
 
     //
     // Create trusted CA store with contents of CertAuthFile
     //
-    string caFile = properties->getProperty(prefix + "CertAuthFile");
-    if(!caFile.empty())
+    string caFile = properties->getProperty(prefix + "CAs");
+    if(caFile.empty())
+    {
+        caFile = properties->getProperty(prefix + "CertAuthFile");
+    }
+    if(!caFile.empty() || properties->getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0)
     {
         _rootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
         if(!_rootStore)
         {
             throw PluginInitializationException(__FILE__, __LINE__,
-                    "IceSSL: error creating in memory certificate store:\n" + lastErrorToString());
+                                                "IceSSL: error creating in memory certificate store:\n" +
+                                                lastErrorToString());
         }
-
-        if(!checkPath(caFile, defaultDir, false))
+    }
+    if(!caFile.empty())
+    {
+        string resolved;
+        if(!checkPath(caFile, defaultDir, false, resolved))
         {
             throw PluginInitializationException(__FILE__, __LINE__,
                                                 "IceSSL: CA certificate file not found:\n" + caFile);
         }
 
-        addCertificateToStore(caFile, _rootStore);
+        addCertificatesToStore(resolved, _rootStore);
+    }
 
+    if(_rootStore)
+    {
         //
         // Create a chain engine that uses our Trusted Root Store
         //
-#ifdef __MINGW32__
+#if defined(__MINGW32__) || (defined(_MSC_VER) && (_MSC_VER <= 1500))
         CertChainEngineConfig config;
         memset(&config, 0, sizeof(CertChainEngineConfig));
         config.cbSize = sizeof(CertChainEngineConfig);
@@ -275,40 +314,30 @@ SChannelEngine::initialize()
         // Build the chain using the LocalMachine registry location as opposed
         // to the CurrentUser location.
         //
-        if(certStore == "LocalMachine")
+        if(certStoreLocation == "LocalMachine")
         {
             config.dwFlags = CERT_CHAIN_USE_LOCAL_MACHINE_STORE;
         }
 
-#ifdef __MINGW32__
+#if defined(__MINGW32__) || (defined(_MSC_VER) && (_MSC_VER <= 1500))
         if(!CertCreateCertificateChainEngine(reinterpret_cast<CERT_CHAIN_ENGINE_CONFIG*>(&config), &_chainEngine))
 #else
         if(!CertCreateCertificateChainEngine(&config, &_chainEngine))
 #endif
         {
             throw PluginInitializationException(__FILE__, __LINE__,
-                    "IceSSL: error creating certificate chain engine:\n" + lastErrorToString());
+                                                "IceSSL: error creating certificate chain engine:\n" +
+                                                lastErrorToString());
         }
     }
     else
     {
-        _chainEngine = (certStore == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER;
-    }
-
-    //
-    // Import the application certificate and private keys.
-    //
-    string keySet = properties->getPropertyWithDefault(prefix + "KeySet", "DefaultKeySet");
-    if(keySet != "DefaultKeySet" && keySet != "UserKeySet" && keySet != "MachineKeySet")
-    {
-        getLogger()->warning("Invalid IceSSL.KeySet value `" + keySet + "' adjusted to `DefaultKeySet'");
-        keySet = "DefaultKeySet";
+        _chainEngine = (certStoreLocation == "LocalMachine") ? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER;
     }
 
-    DWORD importFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET;
-
     string certFile = properties->getProperty(prefix + "CertFile");
-    string keyFile = properties->getPropertyWithDefault(prefix + "KeyFile", certFile);
+    string keyFile = properties->getProperty(prefix + "KeyFile");
+    string findCert = properties->getProperty("IceSSL.FindCert");
 
     if(!certFile.empty())
     {
@@ -320,29 +349,39 @@ SChannelEngine::initialize()
         }
 
         vector<string> keyFiles;
-        if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2)
+        if(!keyFile.empty())
         {
-            throw PluginInitializationException(__FILE__, __LINE__,
-                                                "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile);
-        }
+            if(!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2)
+            {
+                throw PluginInitializationException(__FILE__, __LINE__,
+                                                    "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile);
+            }
 
-        if(certFiles.size() != keyFiles.size())
-        {
-            throw PluginInitializationException(__FILE__, __LINE__,
-                                        "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile");
+            if(certFiles.size() != keyFiles.size())
+            {
+                throw PluginInitializationException(__FILE__, __LINE__,
+                                            "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile");
+            }
         }
 
         for(size_t i = 0; i < certFiles.size(); ++i)
         {
             string certFile = certFiles[i];
-            if(!checkPath(certFile, defaultDir, false))
+            string resolved;
+            if(!checkPath(certFile, defaultDir, false, resolved))
             {
                 throw PluginInitializationException(__FILE__, __LINE__,
                                                     "IceSSL: certificate file not found:\n" + certFile);
             }
+            certFile = resolved;
 
             vector<char> buffer;
             readFile(certFile, buffer);
+            if(buffer.empty())
+            {
+                throw PluginInitializationException(__FILE__, __LINE__,
+                                                    "IceSSL: certificate file is empty:\n" + certFile);
+            }
 
             CRYPT_DATA_BLOB pfxBlob;
             pfxBlob.cbData = static_cast<DWORD>(buffer.size());
@@ -352,6 +391,7 @@ SChannelEngine::initialize()
             PCCERT_CONTEXT cert = 0;
             int err = 0;
             int count = 0;
+            DWORD importFlags = (certStoreLocation == "LocalMachine") ? CRYPT_MACHINE_KEYSET : CRYPT_USER_KEYSET;
             do
             {
                 string s = password(false);
@@ -362,19 +402,48 @@ SChannelEngine::initialize()
 
             if(store)
             {
-                _stores.push_back(store);
-                cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, 0, cert);
+                //
+                // Try to find a certificate chain.
+                //
+                CERT_CHAIN_FIND_BY_ISSUER_PARA para;
+                memset(&para, 0, sizeof(CERT_CHAIN_FIND_BY_ISSUER_PARA));
+                para.cbSize = sizeof(CERT_CHAIN_FIND_BY_ISSUER_PARA);
+
+                DWORD ff = CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG; // Don't fetch anything from the Internet
+                PCCERT_CHAIN_CONTEXT chain = 0;
+                while(!cert)
+                {
+                    chain = CertFindChainInStore(store, X509_ASN_ENCODING, ff, CERT_CHAIN_FIND_BY_ISSUER, &para, chain);
+                    if(!chain)
+                    {
+                        break; // No more chains found in the store.
+                    }
+
+                    if(chain->cChain > 0 && chain->rgpChain[0]->cElement > 0)
+                    {
+                        cert = CertDuplicateCertificateContext(chain->rgpChain[0]->rgpElement[0]->pCertContext);
+                    }
+                    CertFreeCertificateChain(chain);
+                }
+
+                //
+                // Check if we can find a certificate if we couldn't find a chain.
+                //
+                if(!cert)
+                {
+                    cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, 0, cert);
+                }
                 if(!cert)
                 {
                     throw PluginInitializationException(__FILE__, __LINE__,
-                                            "IceSSL: certificate error:\n" + lastErrorToString());
+                                                        "IceSSL: certificate error:\n" + lastErrorToString());
                 }
-                _certs.push_back(cert);
+                _allCerts.push_back(cert);
+                _stores.push_back(store);
                 continue;
             }
 
             assert(err);
-
             if(err != CRYPT_E_BAD_ENCODE)
             {
                 throw PluginInitializationException(__FILE__, __LINE__,
@@ -384,14 +453,24 @@ SChannelEngine::initialize()
             //
             // Try to load certificate & key as PEM files.
             //
+            if(keyFiles.empty())
+            {
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key file specified");
+            }
+
             err = 0;
             keyFile = keyFiles[i];
-            if(!checkPath(keyFile, defaultDir, false))
+            if(!checkPath(keyFile, defaultDir, false, resolved))
             {
                 throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile);
             }
+            keyFile = resolved;
 
             readFile(keyFile, buffer);
+            if(buffer.empty())
+            {
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file is empty:\n" + keyFile);
+            }
 
             vector<BYTE> outBuffer;
             outBuffer.resize(buffer.size());
@@ -403,31 +482,56 @@ SChannelEngine::initialize()
             if(!CryptStringToBinary(&buffer[0], static_cast<DWORD>(buffer.size()), CRYPT_STRING_BASE64HEADER,
                                     &outBuffer[0], &outLength, 0, 0))
             {
-                throw PluginInitializationException(__FILE__, __LINE__,
-                                            "IceSSL: error decoding key:\n" + lastErrorToString());
+                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error decoding key `" + keyFile +
+                                                    "':\n" + lastErrorToString());
             }
 
             PCRYPT_PRIVATE_KEY_INFO keyInfo = 0;
             BYTE* key = 0;
             HCRYPTKEY hKey = 0;
-
             try
             {
+                //
+                // First try to decode as a PKCS#8 key, if that fails try PKCS#1.
+                //
                 DWORD decodedLength = 0;
-                if(!CryptDecodeObjectEx(X509_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO, &outBuffer[0], outLength,
-                                        CRYPT_DECODE_ALLOC_FLAG, 0, &keyInfo, &decodedLength))
+                if(CryptDecodeObjectEx(X509_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO, &outBuffer[0], outLength,
+                                       CRYPT_DECODE_ALLOC_FLAG, 0, &keyInfo, &decodedLength))
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                            "IceSSL: error decoding key:\n" + lastErrorToString());
+                    //
+                    // Check that we are using a RSA Key
+                    //
+                    if(strcmp(keyInfo->Algorithm.pszObjId, szOID_RSA_RSA))
+                    {
+                        throw PluginInitializationException(__FILE__, __LINE__,
+                                                        string("IceSSL: error unknow key algorithm: `") +
+                                                            keyInfo->Algorithm.pszObjId + "'");
+                    }
+
+                    //
+                    // Decode the private key BLOB
+                    //
+                    if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY,
+                                            keyInfo->PrivateKey.pbData, keyInfo->PrivateKey.cbData,
+                                            CRYPT_DECODE_ALLOC_FLAG, 0, &key, &outLength))
+                    {
+                        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error decoding key `" +
+                                                            keyFile + "':\n" + lastErrorToString());
+                    }
+                    LocalFree(keyInfo);
+                    keyInfo = 0;
                 }
-
-                //
-                // Check that we are using a RSA Key
-                //
-                if(strcmp(keyInfo->Algorithm.pszObjId, szOID_RSA_RSA))
+                else
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                string("IceSSL: error unknow key algorithm: `") + keyInfo->Algorithm.pszObjId + "'");
+                    //
+                    // Decode the private key BLOB
+                    //
+                    if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY,
+                                            &outBuffer[0], outLength, CRYPT_DECODE_ALLOC_FLAG, 0, &key, &outLength))
+                    {
+                        throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error decoding key `" +
+                                                            keyFile + "':\n" + lastErrorToString());
+                    }
                 }
 
                 //
@@ -436,35 +540,26 @@ SChannelEngine::initialize()
                 const wstring keySetName = stringToWstring(generateUUID());
                 HCRYPTPROV cryptProv = 0;
 
-                DWORD contextFlags = (keySet == "MachineKeySet") ? CRYPT_MACHINE_KEYSET | CRYPT_NEWKEYSET :
-                                                                   CRYPT_NEWKEYSET;
-
-                if(!CryptAcquireContextW(&cryptProv, keySetName.c_str(), MS_DEF_PROV_W, PROV_RSA_FULL, contextFlags))
+                DWORD contextFlags = CRYPT_NEWKEYSET;
+                if(certStoreLocation == "LocalMachine")
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                            "IceSSL: error acquiring cryptographic context:\n" + lastErrorToString());
-                }
+                    contextFlags |= CRYPT_MACHINE_KEYSET;
+                }                                                                   ;
 
-                //
-                // Decode the private key BLOB
-                //
-                if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_RSA_PRIVATE_KEY,
-                                        keyInfo->PrivateKey.pbData, keyInfo->PrivateKey.cbData,
-                                        CRYPT_DECODE_ALLOC_FLAG, 0, &key, &outLength))
+                if(!CryptAcquireContextW(&cryptProv, keySetName.c_str(), MS_ENHANCED_PROV_W, PROV_RSA_FULL,
+                                         contextFlags))
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                            "IceSSL: error decoding key:\n" + lastErrorToString());
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error acquiring cryptographic "
+                                                        "context:\n" + lastErrorToString());
                 }
-                LocalFree(keyInfo);
-                keyInfo = 0;
 
                 //
                 // Import the private key
                 //
                 if(!CryptImportKey(cryptProv, key, outLength, 0, 0, &hKey))
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                            "IceSSL: error importing key:\n" + lastErrorToString());
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error importing key `" + keyFile +
+                                                        "':\n" + lastErrorToString());
                 }
                 LocalFree(key);
                 key = 0;
@@ -478,11 +573,11 @@ SChannelEngine::initialize()
                 store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0);
                 if(!store)
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                "IceSSL: error creating certificate store:\n" + lastErrorToString());
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error creating certificate "
+                                                        "store:\n" + lastErrorToString());
                 }
 
-                addCertificateToStore(certFile, store, &cert);
+                addCertificatesToStore(certFile, store, &cert);
 
                 //
                 // Associate key & certificate
@@ -493,14 +588,14 @@ SChannelEngine::initialize()
                 keyProvInfo.pwszProvName = const_cast<wchar_t*>(MS_DEF_PROV_W);
                 keyProvInfo.dwProvType = PROV_RSA_FULL;
                 keyProvInfo.dwKeySpec = AT_KEYEXCHANGE;
-
                 if(!CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo))
                 {
-                    throw PluginInitializationException(__FILE__, __LINE__,
-                                "IceSSL: error seting certificate property:\n" + lastErrorToString());
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: error seting certificate "
+                                                        "property:\n" + lastErrorToString());
                 }
 
-                _certs.push_back(cert);
+                _importedCerts.push_back(cert);
+                _allCerts.push_back(cert);
                 _stores.push_back(store);
             }
             catch(...)
@@ -532,31 +627,16 @@ SChannelEngine::initialize()
                 throw;
             }
         }
-
-        _allCerts.insert(_allCerts.end(), _certs.begin(), _certs.end());
     }
-
-    const string findPrefix = prefix + "FindCert.";
-    map<string, string> certProps = properties->getPropertiesForPrefix(findPrefix);
-    if(!certProps.empty())
+    else if(!findCert.empty())
     {
-        for(map<string, string>::const_iterator i = certProps.begin(); i != certProps.end(); ++i)
-        {
-            const string name = i->first;
-            const string val = i->second;
-
-            if(!val.empty())
-            {
-                string storeSpec = name.substr(findPrefix.size());
-                vector<PCCERT_CONTEXT> certs = findCertificates(name, storeSpec, val, _stores);
-                _allCerts.insert(_allCerts.end(), certs.begin(), certs.end());
-            }
-        }
-
-        if(_allCerts.empty())
+        string certStore = properties->getPropertyWithDefault(prefix + "CertStore", "My");
+        vector<PCCERT_CONTEXT> certs = findCertificates(certStoreLocation, certStore, findCert, _stores);
+        if(certs.empty())
         {
             throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found");
         }
+        _allCerts.insert(_allCerts.end(), certs.begin(), certs.end());
     }
     _initialized = true;
 }
@@ -627,10 +707,15 @@ SChannelEngine::newCredentialsHandle(bool incoming)
         // the root certificate either way.
         //
         cred.dwFlags = SCH_CRED_NO_SYSTEM_MAPPER;
-        if(_rootStore)
-        {
-            cred.hRootStore = _rootStore;
-        }
+
+        //
+        // There's no way to prevent SChannel from sending "CA names" to the
+        // client. Recent Windows versions don't CA names but older ones do
+        // send all the trusted root CA names. We provide the root store to
+        // ensure that for these older Windows versions, we also include the
+        // CA names of our trusted roots.
+        //
+        cred.hRootStore = _rootStore;
     }
     else
     {
@@ -646,9 +731,9 @@ SChannelEngine::newCredentialsHandle(bool incoming)
     CredHandle credHandle;
     memset(&credHandle, 0, sizeof(credHandle));
 
-    SECURITY_STATUS err =
-        AcquireCredentialsHandle(0, const_cast<char*>(UNISP_NAME), (incoming ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND), 0, &cred, 0,
-                                 0, &credHandle, 0);
+    SECURITY_STATUS err = AcquireCredentialsHandle(0, const_cast<char*>(UNISP_NAME),
+                                                   (incoming ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND),
+                                                   0, &cred, 0, 0, &credHandle, 0);
 
     if(err != SEC_E_OK)
     {
@@ -692,33 +777,30 @@ SChannelEngine::destroy()
         CertCloseStore(_rootStore, 0);
     }
 
-    for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i)
+    for(vector<PCCERT_CONTEXT>::const_iterator i = _importedCerts.begin(); i != _importedCerts.end(); ++i)
     {
-        PCCERT_CONTEXT cert = *i;
-
         //
-        // Only remove the keysets we create.
+        // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO
+        // data to remove the key set associated with the certificate.
         //
-        if(find(_certs.begin(), _certs.end(), cert) != _certs.end())
+        DWORD length = 0;
+        if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, 0, &length))
         {
-            //
-            // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO
-            // data to then remove the key set associated with the certificate.
-            //
-            DWORD length = 0;
-            if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &length))
-            {
-                vector<char> buf(length);
-                if(CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length))
-                {
-                    CRYPT_KEY_PROV_INFO* keyProvInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]);
-                    HCRYPTPROV cryptProv = 0;
-                    CryptAcquireContextW(&cryptProv, keyProvInfo->pwszContainerName, keyProvInfo->pwszProvName,
-                                         keyProvInfo->dwProvType, CRYPT_DELETEKEYSET);
-                }
-                CertFreeCertificateContext(cert);
-            }
+            continue;
+        }
+        vector<char> buf(length);
+        if(!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length))
+        {
+            continue;
         }
+        CRYPT_KEY_PROV_INFO* key = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]);
+        HCRYPTPROV prov = 0;
+        CryptAcquireContextW(&prov, key->pwszContainerName, key->pwszProvName, key->dwProvType, CRYPT_DELETEKEYSET);
+    }
+
+    for(vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i)
+    {
+        CertFreeCertificateContext(*i);
     }
 
     for(vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i)