6 files changed, 68 insertions, 3 deletions
diff --git a/OpenSim/Framework/Servers/BaseOpenSimServer.cs b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
index 1d4deac..541b658 100644
--- a/OpenSim/Framework/Servers/BaseOpenSimServer.cs
+++ b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
@@ -33,6 +33,9 @@ using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading;
 using System.Timers;
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 using log4net;
 using log4net.Appender;
 using log4net.Core;
@@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
            // Random uuid for private data
            m_osSecret = UUID.Random().ToString();
        }
-        
+   
+        private static bool m_NoVerifyCertChain = false;
+        private static bool m_NoVerifyCertHostname = false;
+        public static bool ValidateServerCertificate(
+            object sender,
+            X509Certificate certificate,
+            X509Chain chain,
+            SslPolicyErrors sslPolicyErrors)
+        {
+            if (m_NoVerifyCertChain)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
+ 
+            if (m_NoVerifyCertHostname)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+            if (sslPolicyErrors == SslPolicyErrors.None)
+                return true;
+            return false;
+        }             
        /// <summary>
        /// Must be overriden by child classes for their own server specific startup behaviour.
        /// </summary>
@@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
            RegisterCommonComponents(Config);
            IConfig startupConfig = Config.Configs["Startup"];
+            m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
+            m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
            int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
            m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
            m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs
index 190f60f..9d6a3d0 100644
--- a/OpenSim/Server/ServerMain.cs
+++ b/OpenSim/Server/ServerMain.cs
@@ -79,6 +79,7 @@ namespace OpenSim.Server
            // Make sure we don't get outbound connections queueing
            ServicePointManager.DefaultConnectionLimit = 50;
            ServicePointManager.UseNagleAlgorithm = false;
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
            m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
            
@@ -94,7 +95,6 @@ namespace OpenSim.Server
            m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
            m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
-            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
            string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
            
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index 4df6584..a4a6d0c 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -295,6 +295,19 @@
    ;; default is false
    ; TelehubAllowLandmark = false
+    
+    ;; SSL certificate validation options
+    ;; used also on contacting other peers that require SSL and we don't
+    ;; you should set this to false forcing all peers (like regions) to have valid certificates
+    ;; but you can allow selfsigned certificates or no official CA with next option true
+    ;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
+    ; NoVerifyCertChain = true
+    ;; you can also bypass the hostname or domain verification
+    ;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
+    ; NoVerifyCertHostname = true
+    ;; having both options true does provide encriptation, but low security
+    ;; possible enought for small grids, specially it not comercial       
 [AccessControl]
    ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini
index 6539f6e..4884d3d 100644
--- a/bin/OpenSimDefaults.ini
+++ b/bin/OpenSimDefaults.ini
@@ -401,7 +401,20 @@
    ; routing and land at the landmark coordinates when set to true
    ; default is false
    ; TelehubAllowLandmark = false
-   
+    ; #
+    ; # SSL certificates validation options
+    ; #
+    
+    ; SSL certificate validation options
+    ; used also on contacting other peers that require SSL and we don't
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    ; NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    ; NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial    
    
 [Map]
    ; Map tile options.  
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 08a3b8c..f66b245 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -71,6 +71,7 @@
    ConsoleHistoryFileLines = 100
    ; peers SSL certificate validation options (if using ssl)
+    ; used also on contacting other peers that require SSL and we don't
    ; you should set this to false forcing all peers (like regions) to have valid certificates
    ; but you can allow selfsigned certificates or no official CA with next option true
    NoVerifyCertChain = true
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index 743b23d..5e6ce47 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -61,6 +61,16 @@
    ; How many lines of command history should we keep? (default is 100)
    ConsoleHistoryFileLines = 100
+    
+    ; peers SSL certificate validation options
+    ; used also on contacting other peers that require SSL and we don't
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial
  
 [ServiceList]
    AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"

diff --git a/OpenSim/Framework/Servers/BaseOpenSimServer.cs b/OpenSim/Framework/Servers/BaseOpenSimServer.cs index 1d4deac..541b658 100644 --- a/OpenSim/Framework/Servers/BaseOpenSimServer.cs +++ b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
@@ -33,6 +33,9 @@ using System.Text;
33	using System.Text.RegularExpressions;	33	using System.Text.RegularExpressions;
34	using System.Threading;	34	using System.Threading;
35	using System.Timers;	35	using System.Timers;
		36	using System.Net;
		37	using System.Net.Security;
		38	using System.Security.Cryptography.X509Certificates;
36	using log4net;	39	using log4net;
37	using log4net.Appender;	40	using log4net.Appender;
38	using log4net.Core;	41	using log4net.Core;
@@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
85	// Random uuid for private data	88	// Random uuid for private data
86	m_osSecret = UUID.Random().ToString();	89	m_osSecret = UUID.Random().ToString();
87	}	90	}
88		91
		92	private static bool m_NoVerifyCertChain = false;
		93	private static bool m_NoVerifyCertHostname = false;
		94
		95	public static bool ValidateServerCertificate(
		96	object sender,
		97	X509Certificate certificate,
		98	X509Chain chain,
		99	SslPolicyErrors sslPolicyErrors)
		100	{
		101	if (m_NoVerifyCertChain)
		102	sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
		103
		104	if (m_NoVerifyCertHostname)
		105	sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
		106
		107	if (sslPolicyErrors == SslPolicyErrors.None)
		108	return true;
		109
		110	return false;
		111	}
89	/// <summary>	112	/// <summary>
90	/// Must be overriden by child classes for their own server specific startup behaviour.	113	/// Must be overriden by child classes for their own server specific startup behaviour.
91	/// </summary>	114	/// </summary>
@@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
96	RegisterCommonComponents(Config);	119	RegisterCommonComponents(Config);
97		120
98	IConfig startupConfig = Config.Configs["Startup"];	121	IConfig startupConfig = Config.Configs["Startup"];
		122
		123	m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
		124	m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
		125	ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
		126
99	int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);	127	int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
100	m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;	128	m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
101	m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);	129	m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);


diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs index 190f60f..9d6a3d0 100644 --- a/OpenSim/Server/ServerMain.cs +++ b/OpenSim/Server/ServerMain.cs
@@ -79,6 +79,7 @@ namespace OpenSim.Server
79	// Make sure we don't get outbound connections queueing	79	// Make sure we don't get outbound connections queueing
80	ServicePointManager.DefaultConnectionLimit = 50;	80	ServicePointManager.DefaultConnectionLimit = 50;
81	ServicePointManager.UseNagleAlgorithm = false;	81	ServicePointManager.UseNagleAlgorithm = false;
		82	ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
82		83
83	m_Server = new HttpServerBase("R.O.B.U.S.T.", args);	84	m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
84		85
@@ -94,7 +95,6 @@ namespace OpenSim.Server
94	m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);	95	m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
95	m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);	96	m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
96		97
97	ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
98		98
99	string connList = serverConfig.GetString("ServiceConnectors", String.Empty);	99	string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
100		100


diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index 4df6584..a4a6d0c 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example
@@ -295,6 +295,19 @@
295	;; default is false	295	;; default is false
296	; TelehubAllowLandmark = false	296	; TelehubAllowLandmark = false
297		297
		298
		299	;; SSL certificate validation options
		300	;; used also on contacting other peers that require SSL and we don't
		301	;; you should set this to false forcing all peers (like regions) to have valid certificates
		302	;; but you can allow selfsigned certificates or no official CA with next option true
		303	;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
		304	; NoVerifyCertChain = true
		305
		306	;; you can also bypass the hostname or domain verification
		307	;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
		308	; NoVerifyCertHostname = true
		309	;; having both options true does provide encriptation, but low security
		310	;; possible enought for small grids, specially it not comercial
298		311
299	[AccessControl]	312	[AccessControl]
300	;# {AllowedClients} {} {Bar (\|) separated list of allowed clients} {}	313	;# {AllowedClients} {} {Bar (\|) separated list of allowed clients} {}


diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini index 6539f6e..4884d3d 100644 --- a/bin/OpenSimDefaults.ini +++ b/bin/OpenSimDefaults.ini
@@ -401,7 +401,20 @@
401	; routing and land at the landmark coordinates when set to true	401	; routing and land at the landmark coordinates when set to true
402	; default is false	402	; default is false
403	; TelehubAllowLandmark = false	403	; TelehubAllowLandmark = false
404		404
		405	; #
		406	; # SSL certificates validation options
		407	; #
		408
		409	; SSL certificate validation options
		410	; used also on contacting other peers that require SSL and we don't
		411	; you should set this to false forcing all peers (like regions) to have valid certificates
		412	; but you can allow selfsigned certificates or no official CA with next option true
		413	; NoVerifyCertChain = true
		414	; you can also bypass the hostname or domain verification
		415	; NoVerifyCertHostname = true
		416	; having both options true does provide encriptation, but low security
		417	; possible enought for small grids, specially it not comercial
405		418
406	[Map]	419	[Map]
407	; Map tile options.	420	; Map tile options.


diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example index 08a3b8c..f66b245 100644 --- a/bin/Robust.HG.ini.example +++ b/bin/Robust.HG.ini.example
@@ -71,6 +71,7 @@
71	ConsoleHistoryFileLines = 100	71	ConsoleHistoryFileLines = 100
72		72
73	; peers SSL certificate validation options (if using ssl)	73	; peers SSL certificate validation options (if using ssl)
		74	; used also on contacting other peers that require SSL and we don't
74	; you should set this to false forcing all peers (like regions) to have valid certificates	75	; you should set this to false forcing all peers (like regions) to have valid certificates
75	; but you can allow selfsigned certificates or no official CA with next option true	76	; but you can allow selfsigned certificates or no official CA with next option true
76	NoVerifyCertChain = true	77	NoVerifyCertChain = true


diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index 743b23d..5e6ce47 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example
@@ -61,6 +61,16 @@
61		61
62	; How many lines of command history should we keep? (default is 100)	62	; How many lines of command history should we keep? (default is 100)
63	ConsoleHistoryFileLines = 100	63	ConsoleHistoryFileLines = 100
		64
		65	; peers SSL certificate validation options
		66	; used also on contacting other peers that require SSL and we don't
		67	; you should set this to false forcing all peers (like regions) to have valid certificates
		68	; but you can allow selfsigned certificates or no official CA with next option true
		69	NoVerifyCertChain = true
		70	; you can also bypass the hostname or domain verification
		71	NoVerifyCertHostname = true
		72	; having both options true does provide encriptation, but low security
		73	; possible enought for small grids, specially it not comercial
64		74
65	[ServiceList]	75	[ServiceList]
66	AssetServiceConnector = "${Const\|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"	76	AssetServiceConnector = "${Const\|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"