diff options
author | UbitUmarov | 2016-12-07 13:30:07 +0000 |
---|---|---|
committer | UbitUmarov | 2016-12-07 13:30:07 +0000 |
commit | 3a81642d979a84c5c2e666cb500e080d56f887ed (patch) | |
tree | 0f3302d414792ef3b3cb2046595561373f1ba19b | |
parent | add SSL certs validation options for robust to allow simple certificates, pos... (diff) | |
download | opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.zip opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.gz opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.bz2 opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.xz |
add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.
Diffstat (limited to '')
-rw-r--r-- | OpenSim/Framework/Servers/BaseOpenSimServer.cs | 30 | ||||
-rw-r--r-- | OpenSim/Server/ServerMain.cs | 2 | ||||
-rw-r--r-- | bin/OpenSim.ini.example | 13 | ||||
-rw-r--r-- | bin/OpenSimDefaults.ini | 15 | ||||
-rw-r--r-- | bin/Robust.HG.ini.example | 1 | ||||
-rw-r--r-- | bin/Robust.ini.example | 10 |
6 files changed, 68 insertions, 3 deletions
diff --git a/OpenSim/Framework/Servers/BaseOpenSimServer.cs b/OpenSim/Framework/Servers/BaseOpenSimServer.cs index 1d4deac..541b658 100644 --- a/OpenSim/Framework/Servers/BaseOpenSimServer.cs +++ b/OpenSim/Framework/Servers/BaseOpenSimServer.cs | |||
@@ -33,6 +33,9 @@ using System.Text; | |||
33 | using System.Text.RegularExpressions; | 33 | using System.Text.RegularExpressions; |
34 | using System.Threading; | 34 | using System.Threading; |
35 | using System.Timers; | 35 | using System.Timers; |
36 | using System.Net; | ||
37 | using System.Net.Security; | ||
38 | using System.Security.Cryptography.X509Certificates; | ||
36 | using log4net; | 39 | using log4net; |
37 | using log4net.Appender; | 40 | using log4net.Appender; |
38 | using log4net.Core; | 41 | using log4net.Core; |
@@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers | |||
85 | // Random uuid for private data | 88 | // Random uuid for private data |
86 | m_osSecret = UUID.Random().ToString(); | 89 | m_osSecret = UUID.Random().ToString(); |
87 | } | 90 | } |
88 | 91 | ||
92 | private static bool m_NoVerifyCertChain = false; | ||
93 | private static bool m_NoVerifyCertHostname = false; | ||
94 | |||
95 | public static bool ValidateServerCertificate( | ||
96 | object sender, | ||
97 | X509Certificate certificate, | ||
98 | X509Chain chain, | ||
99 | SslPolicyErrors sslPolicyErrors) | ||
100 | { | ||
101 | if (m_NoVerifyCertChain) | ||
102 | sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors; | ||
103 | |||
104 | if (m_NoVerifyCertHostname) | ||
105 | sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch; | ||
106 | |||
107 | if (sslPolicyErrors == SslPolicyErrors.None) | ||
108 | return true; | ||
109 | |||
110 | return false; | ||
111 | } | ||
89 | /// <summary> | 112 | /// <summary> |
90 | /// Must be overriden by child classes for their own server specific startup behaviour. | 113 | /// Must be overriden by child classes for their own server specific startup behaviour. |
91 | /// </summary> | 114 | /// </summary> |
@@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers | |||
96 | RegisterCommonComponents(Config); | 119 | RegisterCommonComponents(Config); |
97 | 120 | ||
98 | IConfig startupConfig = Config.Configs["Startup"]; | 121 | IConfig startupConfig = Config.Configs["Startup"]; |
122 | |||
123 | m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain); | ||
124 | m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname); | ||
125 | ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate; | ||
126 | |||
99 | int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000); | 127 | int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000); |
100 | m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000; | 128 | m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000; |
101 | m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics); | 129 | m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics); |
diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs index 190f60f..9d6a3d0 100644 --- a/OpenSim/Server/ServerMain.cs +++ b/OpenSim/Server/ServerMain.cs | |||
@@ -79,6 +79,7 @@ namespace OpenSim.Server | |||
79 | // Make sure we don't get outbound connections queueing | 79 | // Make sure we don't get outbound connections queueing |
80 | ServicePointManager.DefaultConnectionLimit = 50; | 80 | ServicePointManager.DefaultConnectionLimit = 50; |
81 | ServicePointManager.UseNagleAlgorithm = false; | 81 | ServicePointManager.UseNagleAlgorithm = false; |
82 | ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate; | ||
82 | 83 | ||
83 | m_Server = new HttpServerBase("R.O.B.U.S.T.", args); | 84 | m_Server = new HttpServerBase("R.O.B.U.S.T.", args); |
84 | 85 | ||
@@ -94,7 +95,6 @@ namespace OpenSim.Server | |||
94 | m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain); | 95 | m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain); |
95 | m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname); | 96 | m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname); |
96 | 97 | ||
97 | ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate; | ||
98 | 98 | ||
99 | string connList = serverConfig.GetString("ServiceConnectors", String.Empty); | 99 | string connList = serverConfig.GetString("ServiceConnectors", String.Empty); |
100 | 100 | ||
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index 4df6584..a4a6d0c 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example | |||
@@ -295,6 +295,19 @@ | |||
295 | ;; default is false | 295 | ;; default is false |
296 | ; TelehubAllowLandmark = false | 296 | ; TelehubAllowLandmark = false |
297 | 297 | ||
298 | |||
299 | ;; SSL certificate validation options | ||
300 | ;; used also on contacting other peers that require SSL and we don't | ||
301 | ;; you should set this to false forcing all peers (like regions) to have valid certificates | ||
302 | ;; but you can allow selfsigned certificates or no official CA with next option true | ||
303 | ;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true | ||
304 | ; NoVerifyCertChain = true | ||
305 | |||
306 | ;; you can also bypass the hostname or domain verification | ||
307 | ;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true | ||
308 | ; NoVerifyCertHostname = true | ||
309 | ;; having both options true does provide encriptation, but low security | ||
310 | ;; possible enought for small grids, specially it not comercial | ||
298 | 311 | ||
299 | [AccessControl] | 312 | [AccessControl] |
300 | ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {} | 313 | ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {} |
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini index 6539f6e..4884d3d 100644 --- a/bin/OpenSimDefaults.ini +++ b/bin/OpenSimDefaults.ini | |||
@@ -401,7 +401,20 @@ | |||
401 | ; routing and land at the landmark coordinates when set to true | 401 | ; routing and land at the landmark coordinates when set to true |
402 | ; default is false | 402 | ; default is false |
403 | ; TelehubAllowLandmark = false | 403 | ; TelehubAllowLandmark = false |
404 | 404 | ||
405 | ; # | ||
406 | ; # SSL certificates validation options | ||
407 | ; # | ||
408 | |||
409 | ; SSL certificate validation options | ||
410 | ; used also on contacting other peers that require SSL and we don't | ||
411 | ; you should set this to false forcing all peers (like regions) to have valid certificates | ||
412 | ; but you can allow selfsigned certificates or no official CA with next option true | ||
413 | ; NoVerifyCertChain = true | ||
414 | ; you can also bypass the hostname or domain verification | ||
415 | ; NoVerifyCertHostname = true | ||
416 | ; having both options true does provide encriptation, but low security | ||
417 | ; possible enought for small grids, specially it not comercial | ||
405 | 418 | ||
406 | [Map] | 419 | [Map] |
407 | ; Map tile options. | 420 | ; Map tile options. |
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example index 08a3b8c..f66b245 100644 --- a/bin/Robust.HG.ini.example +++ b/bin/Robust.HG.ini.example | |||
@@ -71,6 +71,7 @@ | |||
71 | ConsoleHistoryFileLines = 100 | 71 | ConsoleHistoryFileLines = 100 |
72 | 72 | ||
73 | ; peers SSL certificate validation options (if using ssl) | 73 | ; peers SSL certificate validation options (if using ssl) |
74 | ; used also on contacting other peers that require SSL and we don't | ||
74 | ; you should set this to false forcing all peers (like regions) to have valid certificates | 75 | ; you should set this to false forcing all peers (like regions) to have valid certificates |
75 | ; but you can allow selfsigned certificates or no official CA with next option true | 76 | ; but you can allow selfsigned certificates or no official CA with next option true |
76 | NoVerifyCertChain = true | 77 | NoVerifyCertChain = true |
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index 743b23d..5e6ce47 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example | |||
@@ -61,6 +61,16 @@ | |||
61 | 61 | ||
62 | ; How many lines of command history should we keep? (default is 100) | 62 | ; How many lines of command history should we keep? (default is 100) |
63 | ConsoleHistoryFileLines = 100 | 63 | ConsoleHistoryFileLines = 100 |
64 | |||
65 | ; peers SSL certificate validation options | ||
66 | ; used also on contacting other peers that require SSL and we don't | ||
67 | ; you should set this to false forcing all peers (like regions) to have valid certificates | ||
68 | ; but you can allow selfsigned certificates or no official CA with next option true | ||
69 | NoVerifyCertChain = true | ||
70 | ; you can also bypass the hostname or domain verification | ||
71 | NoVerifyCertHostname = true | ||
72 | ; having both options true does provide encriptation, but low security | ||
73 | ; possible enought for small grids, specially it not comercial | ||
64 | 74 | ||
65 | [ServiceList] | 75 | [ServiceList] |
66 | AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector" | 76 | AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector" |