add SSL certs validation options for robust to allow simple certificates, possible only for encriptation without any peer autentification. disable validation by default for the small grids case

author: UbitUmarov 2016-12-07 12:23:40 +0000
committer: UbitUmarov 2016-12-07 12:23:40 +0000
commit: 049dd374e9becc12b3e36e42d217f79ebf09ad45 (patch)
tree: 4fd68978cad7248cfe87585e62a5cb8d589069e2
parent: Merge branch 'master' into httptests (diff)
download: opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.zip
opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.gz
opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.bz2
opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.xz
2 files changed, 36 insertions, 0 deletions
diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs
index ed5a481..190f60f 100644
--- a/OpenSim/Server/ServerMain.cs
+++ b/OpenSim/Server/ServerMain.cs
@@ -30,6 +30,8 @@ using log4net;
 using System.Reflection;
 using System;
 using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 using System.Collections.Generic;
 using OpenSim.Framework.Servers;
 using OpenSim.Framework.Servers.HttpServer;
@@ -51,6 +53,26 @@ namespace OpenSim.Server
                new List<IServiceConnector>();
        protected static PluginLoader loader;
+        private static bool m_NoVerifyCertChain = false;
+        private static bool m_NoVerifyCertHostname = false;
+        public static bool ValidateServerCertificate(
+            object sender,
+            X509Certificate certificate,
+            X509Chain chain,
+            SslPolicyErrors sslPolicyErrors)
+        {
+            if (m_NoVerifyCertChain)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
+ 
+            if (m_NoVerifyCertHostname)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+            if (sslPolicyErrors == SslPolicyErrors.None)
+                return true;
+            return false;
+        }
        public static int Main(string[] args)
        {
@@ -69,6 +91,11 @@ namespace OpenSim.Server
                throw new Exception("Configuration error");
            }
+            m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
+            m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
            string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
            
            registryLocation = serverConfig.GetString("RegistryLocation",".");
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index c231a8a..08a3b8c 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -70,6 +70,15 @@
    ; How many lines of command history should we keep? (default is 100)
    ConsoleHistoryFileLines = 100
+    ; peers SSL certificate validation options (if using ssl)
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial
+    
 [ServiceList]
    AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
author	UbitUmarov	2016-12-07 12:23:40 +0000
committer	UbitUmarov	2016-12-07 12:23:40 +0000
commit	049dd374e9becc12b3e36e42d217f79ebf09ad45 (patch)
tree	4fd68978cad7248cfe87585e62a5cb8d589069e2
parent	Merge branch 'master' into httptests (diff)
download	opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.zip opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.gz opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.bz2 opensim-SC-049dd374e9becc12b3e36e42d217f79ebf09ad45.tar.xz

diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs index ed5a481..190f60f 100644 --- a/OpenSim/Server/ServerMain.cs +++ b/OpenSim/Server/ServerMain.cs
@@ -30,6 +30,8 @@ using log4net;
30	using System.Reflection;	30	using System.Reflection;
31	using System;	31	using System;
32	using System.Net;	32	using System.Net;
		33	using System.Net.Security;
		34	using System.Security.Cryptography.X509Certificates;
33	using System.Collections.Generic;	35	using System.Collections.Generic;
34	using OpenSim.Framework.Servers;	36	using OpenSim.Framework.Servers;
35	using OpenSim.Framework.Servers.HttpServer;	37	using OpenSim.Framework.Servers.HttpServer;
@@ -51,6 +53,26 @@ namespace OpenSim.Server
51	new List<IServiceConnector>();	53	new List<IServiceConnector>();
52		54
53	protected static PluginLoader loader;	55	protected static PluginLoader loader;
		56	private static bool m_NoVerifyCertChain = false;
		57	private static bool m_NoVerifyCertHostname = false;
		58
		59	public static bool ValidateServerCertificate(
		60	object sender,
		61	X509Certificate certificate,
		62	X509Chain chain,
		63	SslPolicyErrors sslPolicyErrors)
		64	{
		65	if (m_NoVerifyCertChain)
		66	sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
		67
		68	if (m_NoVerifyCertHostname)
		69	sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
		70
		71	if (sslPolicyErrors == SslPolicyErrors.None)
		72	return true;
		73
		74	return false;
		75	}
54		76
55	public static int Main(string[] args)	77	public static int Main(string[] args)
56	{	78	{
@@ -69,6 +91,11 @@ namespace OpenSim.Server
69	throw new Exception("Configuration error");	91	throw new Exception("Configuration error");
70	}	92	}
71		93
		94	m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
		95	m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
		96
		97	ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
		98
72	string connList = serverConfig.GetString("ServiceConnectors", String.Empty);	99	string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
73		100
74	registryLocation = serverConfig.GetString("RegistryLocation",".");	101	registryLocation = serverConfig.GetString("RegistryLocation",".");


diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example index c231a8a..08a3b8c 100644 --- a/bin/Robust.HG.ini.example +++ b/bin/Robust.HG.ini.example
@@ -70,6 +70,15 @@
70	; How many lines of command history should we keep? (default is 100)	70	; How many lines of command history should we keep? (default is 100)
71	ConsoleHistoryFileLines = 100	71	ConsoleHistoryFileLines = 100
72		72
		73	; peers SSL certificate validation options (if using ssl)
		74	; you should set this to false forcing all peers (like regions) to have valid certificates
		75	; but you can allow selfsigned certificates or no official CA with next option true
		76	NoVerifyCertChain = true
		77	; you can also bypass the hostname or domain verification
		78	NoVerifyCertHostname = true
		79	; having both options true does provide encriptation, but low security
		80	; possible enought for small grids, specially it not comercial
		81
73		82
74	[ServiceList]	83	[ServiceList]
75	AssetServiceConnector = "${Const\|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"	84	AssetServiceConnector = "${Const\|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"