IIOP.NET SSLPlugin fails with omniORB SSL/mTLS (TCP works) — certificates imported, OpenSSL succeeds

When integrating a CORBA system where the server is C++(03) using omniORB 4.3 and the client is C# using IIOP.NET.

Server side (omniORB)

Server runs fine in SSL mode with a proper server certificate.

Client authentication (mTLS) works.

I validated connectivity with OpenSSL:

Shellopenssl s_client -connect <host>:<sslPort> -cert client.crt -key client.key -CAfile ca.crt

Handshake succeeds and ends with Verify return code: 0 (ok).

So server-side TLS/mTLS is confirmed working.

Windows client certificates (already installed)

On the Windows machine running the C# client, I already imported:

The client certificate including the private key (PFX) into CurrentUser => Personal (My).

The CA certificate into the trusted store (Trusted Root / appropriate trust store).

This matches the OpenSSL material that succeeds, so the cert/key/CA setup is correct.

Client side problem (IIOP.NET / SSLPlugin)

In pure TCP mode everything works (Naming Service, IORs, method calls).

When SSL is enabled, the client fails very early (before a real remote call), and cannot reliably consume the SSL-enabled IOR / URI. Typical failures include inability to create a channel sink / connect to the target / similar SSLPlugin-related issues.

Attempted IIOP.NET SSL channel config

I tried the common SSLPlugin setup that uses certificates from the Windows store:

IDictionary props = new Hashtable(); props[IiopChannel.TRANSPORT_FACTORY_KEY] = "Ch.Elca.Iiop.Security.Ssl.SslTransportFactory,SSLPlugin"; props[SslTransportFactory.CLIENT_AUTHENTICATION] = "Ch.Elca.Iiop.Security.Ssl.ClientMutualAuthenticationSuitableFromStore,SSLPlugin"; props[ClientMutualAuthenticationSuitableFromStore.STORE_LOCATION] = "CurrentUser"; var ch = new IiopClientChannel(props); ChannelServices.RegisterChannel(ch, false);

Then connecting via:

the SSL-enabled IOR:... from the naming service, and

also trying a constructed corbaloc form (host/port and object key extracted from the IOR).

In TCP mode, the same client code works reliably. In SSL mode, IIOP.NET breaks.

Question

Has anyone seen IIOP.NET SSLPlugin incompatibilities with omniORB SSL/mTLS (especially around SSL-enabled IORs / service URIs)?

Is this a known limitation/bug in SSLPlugin?

Are there specific settings/workarounds that make IIOP.NET handle omniORB SSL IORs correctly?

Any hints for debugging SSLPlugin (e.g., tracing/verbose logs) that would show why it fails despite correct certificates in the Windows store?

Any guidance appreciated.