From 3a81642d979a84c5c2e666cb500e080d56f887ed Mon Sep 17 00:00:00 2001
From: UbitUmarov
Date: Wed, 7 Dec 2016 13:30:07 +0000
Subject: add SSL certs validation options for regions to allow simple
 encriptation without any peer autentification using simple homemade (or even
 shared) certs.

---
 OpenSim/Framework/Servers/BaseOpenSimServer.cs | 30 +++++++++++++++++++++++++-
 OpenSim/Server/ServerMain.cs                   |  2 +-
 bin/OpenSim.ini.example                        | 13 +++++++++++
 bin/OpenSimDefaults.ini                        | 15 ++++++++++++-
 bin/Robust.HG.ini.example                      |  1 +
 bin/Robust.ini.example                         | 10 +++++++++
 6 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/OpenSim/Framework/Servers/BaseOpenSimServer.cs b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
index 1d4deac..541b658 100644
--- a/OpenSim/Framework/Servers/BaseOpenSimServer.cs
+++ b/OpenSim/Framework/Servers/BaseOpenSimServer.cs
@@ -33,6 +33,9 @@ using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading;
 using System.Timers;
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 using log4net;
 using log4net.Appender;
 using log4net.Core;
@@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
             // Random uuid for private data
             m_osSecret = UUID.Random().ToString();
         }
-        
+   
+        private static bool m_NoVerifyCertChain = false;
+        private static bool m_NoVerifyCertHostname = false;
+
+        public static bool ValidateServerCertificate(
+            object sender,
+            X509Certificate certificate,
+            X509Chain chain,
+            SslPolicyErrors sslPolicyErrors)
+        {
+            if (m_NoVerifyCertChain)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
+ 
+            if (m_NoVerifyCertHostname)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+
+            if (sslPolicyErrors == SslPolicyErrors.None)
+                return true;
+
+            return false;
+        }             
         /// <summary>
         /// Must be overriden by child classes for their own server specific startup behaviour.
         /// </summary>
@@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
             RegisterCommonComponents(Config);
 
             IConfig startupConfig = Config.Configs["Startup"];
+
+            m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
+            m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
+
             int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
             m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
             m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
diff --git a/OpenSim/Server/ServerMain.cs b/OpenSim/Server/ServerMain.cs
index 190f60f..9d6a3d0 100644
--- a/OpenSim/Server/ServerMain.cs
+++ b/OpenSim/Server/ServerMain.cs
@@ -79,6 +79,7 @@ namespace OpenSim.Server
             // Make sure we don't get outbound connections queueing
             ServicePointManager.DefaultConnectionLimit = 50;
             ServicePointManager.UseNagleAlgorithm = false;
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
 
             m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
             
@@ -94,7 +95,6 @@ namespace OpenSim.Server
             m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
             m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
 
-            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
 
             string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
             
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index 4df6584..a4a6d0c 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -295,6 +295,19 @@
     ;; default is false
     ; TelehubAllowLandmark = false
 
+    
+    ;; SSL certificate validation options
+    ;; used also on contacting other peers that require SSL and we don't
+    ;; you should set this to false forcing all peers (like regions) to have valid certificates
+    ;; but you can allow selfsigned certificates or no official CA with next option true
+    ;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
+    ; NoVerifyCertChain = true
+
+    ;; you can also bypass the hostname or domain verification
+    ;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
+    ; NoVerifyCertHostname = true
+    ;; having both options true does provide encriptation, but low security
+    ;; possible enought for small grids, specially it not comercial       
 
 [AccessControl]
     ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini
index 6539f6e..4884d3d 100644
--- a/bin/OpenSimDefaults.ini
+++ b/bin/OpenSimDefaults.ini
@@ -401,7 +401,20 @@
     ; routing and land at the landmark coordinates when set to true
     ; default is false
     ; TelehubAllowLandmark = false
-   
+
+    ; #
+    ; # SSL certificates validation options
+    ; #
+    
+    ; SSL certificate validation options
+    ; used also on contacting other peers that require SSL and we don't
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    ; NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    ; NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial    
     
 [Map]
     ; Map tile options.  
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 08a3b8c..f66b245 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -71,6 +71,7 @@
     ConsoleHistoryFileLines = 100
 
     ; peers SSL certificate validation options (if using ssl)
+    ; used also on contacting other peers that require SSL and we don't
     ; you should set this to false forcing all peers (like regions) to have valid certificates
     ; but you can allow selfsigned certificates or no official CA with next option true
     NoVerifyCertChain = true
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index 743b23d..5e6ce47 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -61,6 +61,16 @@
 
     ; How many lines of command history should we keep? (default is 100)
     ConsoleHistoryFileLines = 100
+    
+    ; peers SSL certificate validation options
+    ; used also on contacting other peers that require SSL and we don't
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial
   
 [ServiceList]
     AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
-- 
cgit v1.1