diff options
author | Teravus Ovares | 2008-09-14 18:39:17 +0000 |
---|---|---|
committer | Teravus Ovares | 2008-09-14 18:39:17 +0000 |
commit | dbbbec48dfbc51f30953d8a46f4fc8f192bd277c (patch) | |
tree | 218f93b95724e8bdc9a9c6e986268f2101c1eb6e | |
parent | Added some further clipping to color- and alpha-values. (diff) | |
download | opensim-SC-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.zip opensim-SC-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.gz opensim-SC-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.bz2 opensim-SC-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.xz |
* This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes.
* There are still a lot of things that are hard coded to use http. They need to be fixed.
* Also includes directions
* A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work
-rw-r--r-- | OpenSim/Framework/NetworkServersInfo.cs | 7 | ||||
-rw-r--r-- | OpenSim/Framework/Servers/BaseHttpServer.cs | 129 | ||||
-rw-r--r-- | OpenSim/Region/ClientStack/RegionApplicationBase.cs | 7 | ||||
-rw-r--r-- | OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs | 57 | ||||
-rw-r--r-- | bin/OpenSim.ini.example | 9 | ||||
-rw-r--r-- | share/junkCA/CA.crt | 30 | ||||
-rw-r--r-- | share/junkCA/CA.key | 27 | ||||
-rw-r--r-- | share/junkCA/CA.srl | 1 | ||||
-rw-r--r-- | share/junkCA/CA2.pem | 30 | ||||
-rw-r--r-- | share/junkCA/Certificate commands OpenSSL.txt | 82 | ||||
-rw-r--r-- | share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! | 1 |
11 files changed, 373 insertions, 7 deletions
diff --git a/OpenSim/Framework/NetworkServersInfo.cs b/OpenSim/Framework/NetworkServersInfo.cs index 43ec11e..9f3014d 100644 --- a/OpenSim/Framework/NetworkServersInfo.cs +++ b/OpenSim/Framework/NetworkServersInfo.cs | |||
@@ -49,6 +49,9 @@ namespace OpenSim.Framework | |||
49 | public string UserRecvKey = String.Empty; | 49 | public string UserRecvKey = String.Empty; |
50 | public string UserSendKey = String.Empty; | 50 | public string UserSendKey = String.Empty; |
51 | public string UserURL = String.Empty; | 51 | public string UserURL = String.Empty; |
52 | public bool HttpUsesSSL = false; | ||
53 | public string HttpSSLCN = ""; | ||
54 | public uint httpSSLPort = 9001; | ||
52 | 55 | ||
53 | 56 | ||
54 | public NetworkServersInfo() | 57 | public NetworkServersInfo() |
@@ -78,6 +81,10 @@ namespace OpenSim.Framework | |||
78 | 81 | ||
79 | HttpListenerPort = | 82 | HttpListenerPort = |
80 | (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort); | 83 | (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort); |
84 | httpSSLPort = | ||
85 | (uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1)); | ||
86 | HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false); | ||
87 | HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", ""); | ||
81 | RemotingListenerPort = | 88 | RemotingListenerPort = |
82 | (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort); | 89 | (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort); |
83 | GridURL = | 90 | GridURL = |
diff --git a/OpenSim/Framework/Servers/BaseHttpServer.cs b/OpenSim/Framework/Servers/BaseHttpServer.cs index 181eb92..6cf6744 100644 --- a/OpenSim/Framework/Servers/BaseHttpServer.cs +++ b/OpenSim/Framework/Servers/BaseHttpServer.cs | |||
@@ -26,12 +26,14 @@ | |||
26 | */ | 26 | */ |
27 | 27 | ||
28 | using System; | 28 | using System; |
29 | using System.Diagnostics; | ||
29 | using System.Collections; | 30 | using System.Collections; |
30 | using System.Collections.Generic; | 31 | using System.Collections.Generic; |
31 | using System.IO; | 32 | using System.IO; |
32 | using System.Net; | 33 | using System.Net; |
33 | using System.Net.Sockets; | 34 | using System.Net.Sockets; |
34 | using System.Reflection; | 35 | using System.Reflection; |
36 | using System.Security.Cryptography.X509Certificates; | ||
35 | using System.Text; | 37 | using System.Text; |
36 | using System.Threading; | 38 | using System.Threading; |
37 | using System.Xml; | 39 | using System.Xml; |
@@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData; | |||
39 | using log4net; | 41 | using log4net; |
40 | using Nwc.XmlRpc; | 42 | using Nwc.XmlRpc; |
41 | 43 | ||
44 | |||
42 | namespace OpenSim.Framework.Servers | 45 | namespace OpenSim.Framework.Servers |
43 | { | 46 | { |
44 | public class BaseHttpServer | 47 | public class BaseHttpServer |
@@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers | |||
55 | protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>(); | 58 | protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>(); |
56 | 59 | ||
57 | protected uint m_port; | 60 | protected uint m_port; |
61 | protected uint m_sslport; | ||
58 | protected bool m_ssl = false; | 62 | protected bool m_ssl = false; |
59 | protected bool m_firstcaps = true; | 63 | protected bool m_firstcaps = true; |
60 | 64 | ||
65 | public uint SSLPort | ||
66 | { | ||
67 | get { return m_sslport; } | ||
68 | } | ||
61 | public uint Port | 69 | public uint Port |
62 | { | 70 | { |
63 | get { return m_port; } | 71 | get { return m_port; } |
@@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers | |||
72 | { | 80 | { |
73 | m_ssl = ssl; | 81 | m_ssl = ssl; |
74 | m_port = port; | 82 | m_port = port; |
83 | |||
84 | } | ||
85 | |||
86 | public BaseHttpServer(uint port, bool ssl, uint sslport, string CN) | ||
87 | { | ||
88 | m_ssl = ssl; | ||
89 | m_port = port; | ||
90 | if (m_ssl) | ||
91 | { | ||
92 | bool result = SetupSsl((int)sslport, CN); | ||
93 | m_sslport = sslport; | ||
94 | } | ||
95 | } | ||
96 | |||
97 | |||
98 | |||
99 | public bool SetupSsl(int port, string CN) | ||
100 | { | ||
101 | string searchCN = Environment.MachineName.ToUpper(); | ||
102 | |||
103 | if (CN.Length > 0) | ||
104 | searchCN = CN.ToUpper(); | ||
105 | |||
106 | Type t = Type.GetType("Mono.Runtime"); | ||
107 | if (t != null) | ||
108 | { | ||
109 | // TODO Mono User Friendly HTTPS setup | ||
110 | // if this doesn't exist, then mono people can still manually use httpcfg | ||
111 | } | ||
112 | else | ||
113 | { | ||
114 | // Windows. | ||
115 | // Search through the store for a certificate with a Common name specified in OpenSim.ini. | ||
116 | // We need to find it's hash so we can pass it to httpcfg | ||
117 | X509Store store = new X509Store(StoreLocation.LocalMachine); | ||
118 | //Use the first cert to configure Ssl | ||
119 | store.Open(OpenFlags.ReadOnly); | ||
120 | //Assumption is we have certs. If not then this call will fail :( | ||
121 | try | ||
122 | { | ||
123 | bool found = false; | ||
124 | //X509Certificate2.CreateFromCertFile("testCert.cer"); | ||
125 | |||
126 | foreach (X509Certificate2 cert in store.Certificates) | ||
127 | { | ||
128 | String certHash = cert.GetCertHashString(); | ||
129 | //Only install certs issued for the machine and has the name as the machine name | ||
130 | if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0) | ||
131 | { | ||
132 | string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port); | ||
133 | try | ||
134 | { | ||
135 | found = true; | ||
136 | |||
137 | ExecuteHttpcfgCommand(httpcfgparams); | ||
138 | |||
139 | break; | ||
140 | } | ||
141 | catch (Exception e) | ||
142 | { | ||
143 | m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed. Do you have httpcfg.exe in your path? If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en. When you get it installed type, httpcfg {0}", httpcfgparams); | ||
144 | return false; | ||
145 | } | ||
146 | } | ||
147 | } | ||
148 | |||
149 | if (!found) | ||
150 | { | ||
151 | m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN); | ||
152 | return false; | ||
153 | } | ||
154 | |||
155 | } | ||
156 | catch (Exception e) | ||
157 | { | ||
158 | m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN); | ||
159 | return false; | ||
160 | } | ||
161 | finally | ||
162 | { | ||
163 | if (store != null) | ||
164 | { | ||
165 | store.Close(); | ||
166 | } | ||
167 | } | ||
168 | } | ||
169 | return true; | ||
75 | } | 170 | } |
76 | 171 | ||
172 | private void ExecuteHttpcfgCommand(string p) | ||
173 | { | ||
174 | |||
175 | string file = "httpcfg"; | ||
176 | |||
177 | ProcessStartInfo info = new ProcessStartInfo(file, p); | ||
178 | // Redirect output so we can read it. | ||
179 | info.RedirectStandardOutput = true; | ||
180 | // To redirect, we must not use shell execute. | ||
181 | info.UseShellExecute = false; | ||
182 | |||
183 | // Create and execute the process. | ||
184 | Process httpcfgprocess = Process.Start(info); | ||
185 | httpcfgprocess.Start(); | ||
186 | string result = httpcfgprocess.StandardOutput.ReadToEnd(); | ||
187 | if (result.Contains("HttpSetServiceConfiguration completed with")) | ||
188 | { | ||
189 | //success | ||
190 | |||
191 | } | ||
192 | else | ||
193 | { | ||
194 | //fail | ||
195 | m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port. Message:{0}", result); | ||
196 | } | ||
197 | |||
198 | } | ||
199 | |||
200 | |||
77 | /// <summary> | 201 | /// <summary> |
78 | /// Add a stream handler to the http server. If the handler already exists, then nothing happens. | 202 | /// Add a stream handler to the http server. If the handler already exists, then nothing happens. |
79 | /// </summary> | 203 | /// </summary> |
@@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers | |||
907 | } | 1031 | } |
908 | else | 1032 | else |
909 | { | 1033 | { |
910 | m_httpListener.Prefixes.Add("https://+:" + m_port + "/"); | 1034 | m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/"); |
1035 | m_httpListener.Prefixes.Add("http://+:" + m_port + "/"); | ||
911 | } | 1036 | } |
912 | m_httpListener.Start(); | 1037 | m_httpListener.Start(); |
913 | 1038 | ||
@@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers | |||
921 | catch (Exception e) | 1046 | catch (Exception e) |
922 | { | 1047 | { |
923 | m_log.Warn("[HTTPD]: Error - " + e.Message); | 1048 | m_log.Warn("[HTTPD]: Error - " + e.Message); |
924 | m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?"); | 1049 | m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?"); |
925 | } | 1050 | } |
926 | } | 1051 | } |
927 | 1052 | ||
diff --git a/OpenSim/Region/ClientStack/RegionApplicationBase.cs b/OpenSim/Region/ClientStack/RegionApplicationBase.cs index 8bb35c1..469c084 100644 --- a/OpenSim/Region/ClientStack/RegionApplicationBase.cs +++ b/OpenSim/Region/ClientStack/RegionApplicationBase.cs | |||
@@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack | |||
81 | 81 | ||
82 | Initialize(); | 82 | Initialize(); |
83 | 83 | ||
84 | m_httpServer = new BaseHttpServer(m_httpServerPort); | 84 | m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN); |
85 | if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort)) | ||
86 | { | ||
87 | m_log.Error("[HTTP]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports"); | ||
88 | } | ||
89 | |||
85 | 90 | ||
86 | m_log.Info("[REGION]: Starting HTTP server"); | 91 | m_log.Info("[REGION]: Starting HTTP server"); |
87 | 92 | ||
diff --git a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs index 6e37b95..68f35e8 100644 --- a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs +++ b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs | |||
@@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid | |||
86 | private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>(); | 86 | private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>(); |
87 | private string LastNameSuffix = "_EXTERNAL"; | 87 | private string LastNameSuffix = "_EXTERNAL"; |
88 | private string FirstNamePrefix = ""; | 88 | private string FirstNamePrefix = ""; |
89 | private string httpsCN = ""; | ||
90 | private bool httpSSL = false; | ||
91 | private uint httpsslport = 0; | ||
89 | 92 | ||
90 | #region IRegionModule Members | 93 | #region IRegionModule Members |
91 | 94 | ||
@@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid | |||
93 | { | 96 | { |
94 | bool enabled = false; | 97 | bool enabled = false; |
95 | IConfig cfg = null; | 98 | IConfig cfg = null; |
99 | IConfig httpcfg = null; | ||
96 | try | 100 | try |
97 | { | 101 | { |
98 | cfg = config.Configs["OpenGridProtocol"]; | 102 | cfg = config.Configs["OpenGridProtocol"]; |
@@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid | |||
100 | { | 104 | { |
101 | enabled = false; | 105 | enabled = false; |
102 | } | 106 | } |
107 | |||
108 | try | ||
109 | { | ||
110 | httpcfg = config.Configs["Network"]; | ||
111 | } | ||
112 | catch (NullReferenceException) | ||
113 | { | ||
114 | |||
115 | } | ||
116 | |||
103 | if (cfg != null) | 117 | if (cfg != null) |
104 | { | 118 | { |
105 | enabled = cfg.GetBoolean("ogp_enabled", false); | 119 | enabled = cfg.GetBoolean("ogp_enabled", false); |
@@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid | |||
139 | } | 153 | } |
140 | } | 154 | } |
141 | } | 155 | } |
156 | lock (m_scene) | ||
157 | { | ||
158 | if (m_scene.Count == 1) | ||
159 | { | ||
160 | if (httpcfg != null) | ||
161 | { | ||
162 | httpSSL = httpcfg.GetBoolean("http_listener_ssl", false); | ||
163 | httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName); | ||
164 | if (httpsCN.Length == 0) | ||
165 | httpsCN = scene.RegionInfo.ExternalHostName; | ||
166 | httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1)); | ||
167 | } | ||
168 | } | ||
169 | } | ||
142 | // Of interest to this module potentially | 170 | // Of interest to this module potentially |
143 | //scene.EventManager.OnNewClient += OnNewClient; | 171 | //scene.EventManager.OnNewClient += OnNewClient; |
144 | //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage; | 172 | //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage; |
@@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid | |||
371 | // Get a reference to the user's cap so we can pull out the Caps Object Path | 399 | // Get a reference to the user's cap so we can pull out the Caps Object Path |
372 | OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID); | 400 | OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID); |
373 | 401 | ||
402 | string rezHttpProtocol = "http://"; | ||
403 | string regionCapsHttpProtocol = "http://"; | ||
404 | string httpaddr = reg.ExternalHostName; | ||
405 | string urlport = reg.HttpPort.ToString(); | ||
406 | |||
407 | |||
408 | if (httpSSL) | ||
409 | { | ||
410 | rezHttpProtocol = "https://"; | ||
411 | |||
412 | urlport = httpsslport.ToString(); | ||
413 | |||
414 | if (httpsCN.Length > 0) | ||
415 | httpaddr = httpsCN; | ||
416 | } | ||
417 | |||
418 | |||
419 | // Be warned that the two following lines assume http not | ||
420 | // https since region caps are not implemented in https currently | ||
421 | |||
374 | // DEPRECIATED | 422 | // DEPRECIATED |
375 | responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); | 423 | responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); |
376 | 424 | ||
377 | // REPLACEMENT | 425 | // REPLACEMENT |
378 | responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); | 426 | responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); |
427 | |||
379 | 428 | ||
380 | responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath); | 429 | responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath); |
381 | responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath); | 430 | responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath); |
382 | 431 | ||
383 | // Add the user to the list of CAPS that are outstanding. | 432 | // Add the user to the list of CAPS that are outstanding. |
384 | // well allow the caps hosts in this dictionary | 433 | // well allow the caps hosts in this dictionary |
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index 28a32cf..eda5813 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example | |||
@@ -169,6 +169,15 @@ dump_assets_to_file = false | |||
169 | http_listener_port = 9000 | 169 | http_listener_port = 9000 |
170 | remoting_listener_port = 8895 | 170 | remoting_listener_port = 8895 |
171 | 171 | ||
172 | ; ssl config: Experimental! The auto https config only really works definately on windows XP now | ||
173 | ; you need a Cert Request/Signed pair installed in the MY store with the CN specified below | ||
174 | ; you can use https on other platforms, but you'll need to configure the httpapi yourself for now | ||
175 | http_listener_ssl = false ; Also create a SSL server | ||
176 | http_listener_cn = "localhost" ; Use the cert with the common name | ||
177 | http_listener_sslport = 9001 ; Use this port for SSL connections | ||
178 | http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer | ||
179 | |||
180 | |||
172 | ; Uncomment below to enable llRemoteData/remote channels | 181 | ; Uncomment below to enable llRemoteData/remote channels |
173 | ; remoteDataPort = 20800 | 182 | ; remoteDataPort = 20800 |
174 | 183 | ||
diff --git a/share/junkCA/CA.crt b/share/junkCA/CA.crt new file mode 100644 index 0000000..8e2f099 --- /dev/null +++ b/share/junkCA/CA.crt | |||
@@ -0,0 +1,30 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD | ||
3 | VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp | ||
4 | dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV | ||
5 | BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg | ||
6 | VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx | ||
7 | MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI | ||
8 | EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl | ||
9 | blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl | ||
10 | MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3 | ||
11 | DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw | ||
12 | ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO | ||
13 | GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq | ||
14 | xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP | ||
15 | b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr | ||
16 | UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI | ||
17 | opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU | ||
18 | u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I | ||
19 | sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z | ||
20 | dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv | ||
21 | ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc | ||
22 | T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy | ||
23 | YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 | ||
24 | DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh | ||
25 | MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f | ||
26 | iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67 | ||
27 | aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM | ||
28 | eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas | ||
29 | e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC | ||
30 | -----END CERTIFICATE----- | ||
diff --git a/share/junkCA/CA.key b/share/junkCA/CA.key new file mode 100644 index 0000000..59a7a5e --- /dev/null +++ b/share/junkCA/CA.key | |||
@@ -0,0 +1,27 @@ | |||
1 | -----BEGIN RSA PRIVATE KEY----- | ||
2 | MIIEowIBAAKCAQEAsKUyMNNWOi4OyDZ5g6fShywtadFHYOGPVMdt9s3drTk6Yxe0 | ||
3 | J5RyDhioPIxOkomleDTwvZ0aoFQjjGuh+3K26/yK13E1KtGWMiBtO2ZG1G/uGjTS | ||
4 | S4f76sR49JF30ShsatUM45jTu5Hws0eL0LnSOBfx8Ohy9ryKkSN7DXqZ/o91SgiC | ||
5 | 8ky0D29JiYuhH0Ys6i7SIEMGmjDdwIGVhfKwADTS3q85GCzO/rk+bEGF/7Bj4tes | ||
6 | fzYBa1HwiOgINkm7n4/FTjqdPJA8FWTau1a+OMvpdYCckj5yzGwa02/3q3PlCb+M | ||
7 | YFbESKKTCj/wxvs93kW8SnD2dIaT1iUuCYRtGwIDAQABAoIBAFNoXU+iqodkMgSl | ||
8 | fDEHMCg1WugpMjvzpXsRg8HSqQZfDEu36I/7zvMK/30/fuZAakpdLQNLSERGFlb6 | ||
9 | h4y0ON0q7OAXi1RBjFr05r7yZyVuCI6FPHr/pZrP1JEekuXG4ZJ8MM7S3b8mhPIS | ||
10 | KVmQNEvaOppXF9mbYw5vI25U4pvIljfAKZxkeU7aHb9asrnuBOwLjFRtLDTo13Nc | ||
11 | dHTT3X+G+74mU8rYTV3njAmh9iE+PmDlc2mJckS/0TqpJbZgFueCCBIK5iJSc7lO | ||
12 | +DFFgRcouvnCdZW9fp6/8Hz4FGa2TX6jsYj/H1dGWELioUOoBwkdqFP9JaBvd7ni | ||
13 | Nx2PObkCgYEA31rYJJ5jUiosf1I894MuEg2HWosXd0pVAPW3QjHdx7oiVUBRS5ZB | ||
14 | YAOy5zeleLckfWKJiE4z/5CMdsEM/Q9F0X2xg3TDhxUM7A4px0AXAsbyJT7AcE0O | ||
15 | kZBZjhluIF8O3Lic/LqzT39KgG35zvvd+H42Je1WvsCLSREL1MQDwCUCgYEAynak | ||
16 | x41uazl5UaDwL+mahIVW+n/Bko3e9BhD7ZRkLI2+R7y180Fw7dMmnxG/jVw7hotk | ||
17 | Ylx3Oa+JjnEplxTd1TShnP1aQ0nhnxnhS9EbIW8SjsazeK8V8zezJ54uZziVedgg | ||
18 | x/ISvQM0yPbvkrSo4mQEjl3q4DjmIyg5Nx+cVD8CgYBGD0vPKLOE2V+9zED9bnNs | ||
19 | DDxRxWFl9LX3KBwEsnmbpaIRVaxqZkY5ZM+gQU8xL1lNzzPOwqEC4Ad/VIzLcBf5 | ||
20 | X1DoKB8Q5yR3gvXN3yeYomjgD+/zCeiw9jNxJD7r/oU97NapW7LVE9t9r4F1UIHO | ||
21 | 6V/4w5q7GNBX6fXpFlcK1QKBgQCYNbYP5/4ZUm4otiucea0W7//B94YZndr9+7gl | ||
22 | xqfA7xcca30G0i4KPfINKJSvu6VssyLW59kiXxu1INI5qRBVF2pg0f+oEsUyjYxZ | ||
23 | KW2SJyT2fd+zXT3NShTANiWAqIOHxLpwV0dLHjvy0eKukm9dNABQ376Sr3Qk/jp1 | ||
24 | fKhUlQKBgAj6o2lw0vLOuQmqV08YF/UFWN/TZAcBzDE353fypi16aqY35pYSvUez | ||
25 | 64d1anTTwuq5fLGaQlH0XgGor/XbBqgif8eVyTRdfmA/2YQjwMIFyrWyxLpTiuiO | ||
26 | 0P6lO4B9NCT2N/gDPomdlOfkA2g063C21CPa43lr8lGx8oaQW95W | ||
27 | -----END RSA PRIVATE KEY----- | ||
diff --git a/share/junkCA/CA.srl b/share/junkCA/CA.srl new file mode 100644 index 0000000..ea34835 --- /dev/null +++ b/share/junkCA/CA.srl | |||
@@ -0,0 +1 @@ | |||
F10DF59AD0EE66E0 | |||
diff --git a/share/junkCA/CA2.pem b/share/junkCA/CA2.pem new file mode 100644 index 0000000..8e2f099 --- /dev/null +++ b/share/junkCA/CA2.pem | |||
@@ -0,0 +1,30 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD | ||
3 | VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp | ||
4 | dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV | ||
5 | BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg | ||
6 | VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx | ||
7 | MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI | ||
8 | EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl | ||
9 | blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl | ||
10 | MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3 | ||
11 | DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw | ||
12 | ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO | ||
13 | GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq | ||
14 | xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP | ||
15 | b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr | ||
16 | UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI | ||
17 | opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU | ||
18 | u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I | ||
19 | sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z | ||
20 | dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv | ||
21 | ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc | ||
22 | T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy | ||
23 | YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 | ||
24 | DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh | ||
25 | MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f | ||
26 | iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67 | ||
27 | aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM | ||
28 | eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas | ||
29 | e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC | ||
30 | -----END CERTIFICATE----- | ||
diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt new file mode 100644 index 0000000..0167ee1 --- /dev/null +++ b/share/junkCA/Certificate commands OpenSSL.txt | |||
@@ -0,0 +1,82 @@ | |||
1 | To generate a cert request and sign it with the JunkCA | ||
2 | |||
3 | REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! | ||
4 | |||
5 | Generate a Host Key: | ||
6 | openssl genrsa -out host.key 2048 | ||
7 | |||
8 | Generate a Certificate signing request with *OpenSSL*: | ||
9 | openssl req -new -nodes -key host.key -out host.csr | ||
10 | When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. | ||
11 | |||
12 | Or you could; | ||
13 | |||
14 | Generate a Certificate request with the *IIS Snapin*: | ||
15 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | ||
16 | Pick a web site on your server. | ||
17 | right click, choose properties from the context menu | ||
18 | Go to the Directory Security tab | ||
19 | Click On the 'Server Certificate...' button | ||
20 | Click 'Prepare the request now, but send it later' and then follow the wizard. | ||
21 | Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert | ||
22 | |||
23 | Sign the certificate request with the junkCA; | ||
24 | openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer | ||
25 | |||
26 | Import it into your MY store on windows. | ||
27 | |||
28 | If you used OpenSSL to generate the certificate; | ||
29 | openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" | ||
30 | server.crt is the signed cert from the CA. | ||
31 | server.key.unsecure is the *unencrypted* private key. | ||
32 | |||
33 | You will be asked for a password, set this if you want. | ||
34 | |||
35 | In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. | ||
36 | |||
37 | In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. | ||
38 | |||
39 | If you used the IIS Snap-in, | ||
40 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | ||
41 | Pick a web site on your server. | ||
42 | right click, choose properties from the context menu | ||
43 | Go to the Directory Security tab | ||
44 | Click On the 'Server Certificate...' button | ||
45 | Choose the radio button that says, 'Assign an existing certificate' | ||
46 | |||
47 | |||
48 | Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. | ||
49 | httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert | ||
50 | |||
51 | After that, make sure to set-up your opensim.ini! | ||
52 | |||
53 | |||
54 | OpenSSL can be found: | ||
55 | http://www.slproweb.com/products/Win32OpenSSL.html | ||
56 | |||
57 | httpcfg.exe for windowsXP can be found: | ||
58 | http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en | ||
59 | |||
60 | Windows Vista users need to use netsh http! | ||
61 | |||
62 | --------------------------------------------------- | ||
63 | |||
64 | Additional notes | ||
65 | |||
66 | To create your own CA | ||
67 | |||
68 | openssl genrsa -out yourCA.key 2048 | ||
69 | openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt | ||
70 | |||
71 | and the final step.. (AND THIS IS IMPORTANT) | ||
72 | |||
73 | openssl x509 -in CA.crt -out yourCA.pem -outform PEM | ||
74 | |||
75 | The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file | ||
76 | so that it can validate certificates that are generated from your CA. | ||
77 | |||
78 | One last important thing! | ||
79 | |||
80 | All users that connect with linden clients | ||
81 | using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about | ||
82 | their clock being wrong! | ||
diff --git a/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! b/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! new file mode 100644 index 0000000..cab724a --- /dev/null +++ b/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! | |||
@@ -0,0 +1 @@ | |||
This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! \ No newline at end of file | |||