aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorUbitUmarov2016-12-07 13:30:07 +0000
committerUbitUmarov2016-12-07 13:30:07 +0000
commit3a81642d979a84c5c2e666cb500e080d56f887ed (patch)
tree0f3302d414792ef3b3cb2046595561373f1ba19b
parentadd SSL certs validation options for robust to allow simple certificates, pos... (diff)
downloadopensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.zip
opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.gz
opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.bz2
opensim-SC-3a81642d979a84c5c2e666cb500e080d56f887ed.tar.xz
add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.
Diffstat (limited to '')
-rw-r--r--OpenSim/Framework/Servers/BaseOpenSimServer.cs30
-rw-r--r--OpenSim/Server/ServerMain.cs2
-rw-r--r--bin/OpenSim.ini.example13
-rw-r--r--bin/OpenSimDefaults.ini15
-rw-r--r--bin/Robust.HG.ini.example1
-rw-r--r--bin/Robust.ini.example10
6 files changed, 68 insertions, 3 deletions
diff --git a/OpenSim/Framework/Servers/BaseOpenSimServer.cs b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
index 1d4deac..541b658 100644
--- a/OpenSim/Framework/Servers/BaseOpenSimServer.cs
+++ b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
@@ -33,6 +33,9 @@ using System.Text;
33using System.Text.RegularExpressions; 33using System.Text.RegularExpressions;
34using System.Threading; 34using System.Threading;
35using System.Timers; 35using System.Timers;
36using System.Net;
37using System.Net.Security;
38using System.Security.Cryptography.X509Certificates;
36using log4net; 39using log4net;
37using log4net.Appender; 40using log4net.Appender;
38using log4net.Core; 41using log4net.Core;
@@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
85 // Random uuid for private data 88 // Random uuid for private data
86 m_osSecret = UUID.Random().ToString(); 89 m_osSecret = UUID.Random().ToString();
87 } 90 }
88 91
92 private static bool m_NoVerifyCertChain = false;
93 private static bool m_NoVerifyCertHostname = false;
94
95 public static bool ValidateServerCertificate(
96 object sender,
97 X509Certificate certificate,
98 X509Chain chain,
99 SslPolicyErrors sslPolicyErrors)
100 {
101 if (m_NoVerifyCertChain)
102 sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
103
104 if (m_NoVerifyCertHostname)
105 sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
106
107 if (sslPolicyErrors == SslPolicyErrors.None)
108 return true;
109
110 return false;
111 }
89 /// <summary> 112 /// <summary>
90 /// Must be overriden by child classes for their own server specific startup behaviour. 113 /// Must be overriden by child classes for their own server specific startup behaviour.
91 /// </summary> 114 /// </summary>
@@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
96 RegisterCommonComponents(Config); 119 RegisterCommonComponents(Config);
97 120
98 IConfig startupConfig = Config.Configs["Startup"]; 121 IConfig startupConfig = Config.Configs["Startup"];
122
123 m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
124 m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
125 ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
126
99 int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000); 127 int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
100 m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000; 128 m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
101 m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics); 129 m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs
index 190f60f..9d6a3d0 100644
--- a/OpenSim/Server/ServerMain.cs
+++ b/OpenSim/Server/ServerMain.cs
@@ -79,6 +79,7 @@ namespace OpenSim.Server
79 // Make sure we don't get outbound connections queueing 79 // Make sure we don't get outbound connections queueing
80 ServicePointManager.DefaultConnectionLimit = 50; 80 ServicePointManager.DefaultConnectionLimit = 50;
81 ServicePointManager.UseNagleAlgorithm = false; 81 ServicePointManager.UseNagleAlgorithm = false;
82 ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
82 83
83 m_Server = new HttpServerBase("R.O.B.U.S.T.", args); 84 m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
84 85
@@ -94,7 +95,6 @@ namespace OpenSim.Server
94 m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain); 95 m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
95 m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname); 96 m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
96 97
97 ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
98 98
99 string connList = serverConfig.GetString("ServiceConnectors", String.Empty); 99 string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
100 100
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index 4df6584..a4a6d0c 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -295,6 +295,19 @@
295 ;; default is false 295 ;; default is false
296 ; TelehubAllowLandmark = false 296 ; TelehubAllowLandmark = false
297 297
298
299 ;; SSL certificate validation options
300 ;; used also on contacting other peers that require SSL and we don't
301 ;; you should set this to false forcing all peers (like regions) to have valid certificates
302 ;; but you can allow selfsigned certificates or no official CA with next option true
303 ;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
304 ; NoVerifyCertChain = true
305
306 ;; you can also bypass the hostname or domain verification
307 ;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
308 ; NoVerifyCertHostname = true
309 ;; having both options true does provide encriptation, but low security
310 ;; possible enought for small grids, specially it not comercial
298 311
299[AccessControl] 312[AccessControl]
300 ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {} 313 ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini
index 6539f6e..4884d3d 100644
--- a/bin/OpenSimDefaults.ini
+++ b/bin/OpenSimDefaults.ini
@@ -401,7 +401,20 @@
401 ; routing and land at the landmark coordinates when set to true 401 ; routing and land at the landmark coordinates when set to true
402 ; default is false 402 ; default is false
403 ; TelehubAllowLandmark = false 403 ; TelehubAllowLandmark = false
404 404
405 ; #
406 ; # SSL certificates validation options
407 ; #
408
409 ; SSL certificate validation options
410 ; used also on contacting other peers that require SSL and we don't
411 ; you should set this to false forcing all peers (like regions) to have valid certificates
412 ; but you can allow selfsigned certificates or no official CA with next option true
413 ; NoVerifyCertChain = true
414 ; you can also bypass the hostname or domain verification
415 ; NoVerifyCertHostname = true
416 ; having both options true does provide encriptation, but low security
417 ; possible enought for small grids, specially it not comercial
405 418
406[Map] 419[Map]
407 ; Map tile options. 420 ; Map tile options.
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 08a3b8c..f66b245 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -71,6 +71,7 @@
71 ConsoleHistoryFileLines = 100 71 ConsoleHistoryFileLines = 100
72 72
73 ; peers SSL certificate validation options (if using ssl) 73 ; peers SSL certificate validation options (if using ssl)
74 ; used also on contacting other peers that require SSL and we don't
74 ; you should set this to false forcing all peers (like regions) to have valid certificates 75 ; you should set this to false forcing all peers (like regions) to have valid certificates
75 ; but you can allow selfsigned certificates or no official CA with next option true 76 ; but you can allow selfsigned certificates or no official CA with next option true
76 NoVerifyCertChain = true 77 NoVerifyCertChain = true
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index 743b23d..5e6ce47 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -61,6 +61,16 @@
61 61
62 ; How many lines of command history should we keep? (default is 100) 62 ; How many lines of command history should we keep? (default is 100)
63 ConsoleHistoryFileLines = 100 63 ConsoleHistoryFileLines = 100
64
65 ; peers SSL certificate validation options
66 ; used also on contacting other peers that require SSL and we don't
67 ; you should set this to false forcing all peers (like regions) to have valid certificates
68 ; but you can allow selfsigned certificates or no official CA with next option true
69 NoVerifyCertChain = true
70 ; you can also bypass the hostname or domain verification
71 NoVerifyCertHostname = true
72 ; having both options true does provide encriptation, but low security
73 ; possible enought for small grids, specially it not comercial
64 74
65[ServiceList] 75[ServiceList]
66 AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector" 76 AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"