From dbbbec48dfbc51f30953d8a46f4fc8f192bd277c Mon Sep 17 00:00:00 2001 From: Teravus Ovares Date: Sun, 14 Sep 2008 18:39:17 +0000 Subject: * This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes. * There are still a lot of things that are hard coded to use http. They need to be fixed. * Also includes directions * A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work --- OpenSim/Framework/NetworkServersInfo.cs | 7 ++ OpenSim/Framework/Servers/BaseHttpServer.cs | 129 ++++++++++++++++++++- .../Region/ClientStack/RegionApplicationBase.cs | 7 +- .../Modules/InterGrid/OpenGridProtocolModule.cs | 57 ++++++++- 4 files changed, 193 insertions(+), 7 deletions(-) (limited to 'OpenSim') diff --git a/OpenSim/Framework/NetworkServersInfo.cs b/OpenSim/Framework/NetworkServersInfo.cs index 43ec11e..9f3014d 100644 --- a/OpenSim/Framework/NetworkServersInfo.cs +++ b/OpenSim/Framework/NetworkServersInfo.cs @@ -49,6 +49,9 @@ namespace OpenSim.Framework public string UserRecvKey = String.Empty; public string UserSendKey = String.Empty; public string UserURL = String.Empty; + public bool HttpUsesSSL = false; + public string HttpSSLCN = ""; + public uint httpSSLPort = 9001; public NetworkServersInfo() @@ -78,6 +81,10 @@ namespace OpenSim.Framework HttpListenerPort = (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort); + httpSSLPort = + (uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1)); + HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false); + HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", ""); RemotingListenerPort = (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort); GridURL = diff --git a/OpenSim/Framework/Servers/BaseHttpServer.cs b/OpenSim/Framework/Servers/BaseHttpServer.cs index 181eb92..6cf6744 100644 --- a/OpenSim/Framework/Servers/BaseHttpServer.cs +++ b/OpenSim/Framework/Servers/BaseHttpServer.cs @@ -26,12 +26,14 @@ */ using System; +using System.Diagnostics; using System.Collections; using System.Collections.Generic; using System.IO; using System.Net; using System.Net.Sockets; using System.Reflection; +using System.Security.Cryptography.X509Certificates; using System.Text; using System.Threading; using System.Xml; @@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData; using log4net; using Nwc.XmlRpc; + namespace OpenSim.Framework.Servers { public class BaseHttpServer @@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers protected Dictionary m_agentHandlers = new Dictionary(); protected uint m_port; + protected uint m_sslport; protected bool m_ssl = false; protected bool m_firstcaps = true; + public uint SSLPort + { + get { return m_sslport; } + } public uint Port { get { return m_port; } @@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers { m_ssl = ssl; m_port = port; + + } + + public BaseHttpServer(uint port, bool ssl, uint sslport, string CN) + { + m_ssl = ssl; + m_port = port; + if (m_ssl) + { + bool result = SetupSsl((int)sslport, CN); + m_sslport = sslport; + } + } + + + + public bool SetupSsl(int port, string CN) + { + string searchCN = Environment.MachineName.ToUpper(); + + if (CN.Length > 0) + searchCN = CN.ToUpper(); + + Type t = Type.GetType("Mono.Runtime"); + if (t != null) + { + // TODO Mono User Friendly HTTPS setup + // if this doesn't exist, then mono people can still manually use httpcfg + } + else + { + // Windows. + // Search through the store for a certificate with a Common name specified in OpenSim.ini. + // We need to find it's hash so we can pass it to httpcfg + X509Store store = new X509Store(StoreLocation.LocalMachine); + //Use the first cert to configure Ssl + store.Open(OpenFlags.ReadOnly); + //Assumption is we have certs. If not then this call will fail :( + try + { + bool found = false; + //X509Certificate2.CreateFromCertFile("testCert.cer"); + + foreach (X509Certificate2 cert in store.Certificates) + { + String certHash = cert.GetCertHashString(); + //Only install certs issued for the machine and has the name as the machine name + if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0) + { + string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port); + try + { + found = true; + + ExecuteHttpcfgCommand(httpcfgparams); + + break; + } + catch (Exception e) + { + m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed. Do you have httpcfg.exe in your path? If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en. When you get it installed type, httpcfg {0}", httpcfgparams); + return false; + } + } + } + + if (!found) + { + m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN); + return false; + } + + } + catch (Exception e) + { + m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN); + return false; + } + finally + { + if (store != null) + { + store.Close(); + } + } + } + return true; } + private void ExecuteHttpcfgCommand(string p) + { + + string file = "httpcfg"; + + ProcessStartInfo info = new ProcessStartInfo(file, p); + // Redirect output so we can read it. + info.RedirectStandardOutput = true; + // To redirect, we must not use shell execute. + info.UseShellExecute = false; + + // Create and execute the process. + Process httpcfgprocess = Process.Start(info); + httpcfgprocess.Start(); + string result = httpcfgprocess.StandardOutput.ReadToEnd(); + if (result.Contains("HttpSetServiceConfiguration completed with")) + { + //success + + } + else + { + //fail + m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port. Message:{0}", result); + } + + } + + /// /// Add a stream handler to the http server. If the handler already exists, then nothing happens. /// @@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers } else { - m_httpListener.Prefixes.Add("https://+:" + m_port + "/"); + m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/"); + m_httpListener.Prefixes.Add("http://+:" + m_port + "/"); } m_httpListener.Start(); @@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers catch (Exception e) { m_log.Warn("[HTTPD]: Error - " + e.Message); - m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?"); + m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?"); } } diff --git a/OpenSim/Region/ClientStack/RegionApplicationBase.cs b/OpenSim/Region/ClientStack/RegionApplicationBase.cs index 8bb35c1..469c084 100644 --- a/OpenSim/Region/ClientStack/RegionApplicationBase.cs +++ b/OpenSim/Region/ClientStack/RegionApplicationBase.cs @@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack Initialize(); - m_httpServer = new BaseHttpServer(m_httpServerPort); + m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN); + if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort)) + { + m_log.Error("[HTTP]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports"); + } + m_log.Info("[REGION]: Starting HTTP server"); diff --git a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs index 6e37b95..68f35e8 100644 --- a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs +++ b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs @@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid private Dictionary m_OGPState = new Dictionary(); private string LastNameSuffix = "_EXTERNAL"; private string FirstNamePrefix = ""; + private string httpsCN = ""; + private bool httpSSL = false; + private uint httpsslport = 0; #region IRegionModule Members @@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid { bool enabled = false; IConfig cfg = null; + IConfig httpcfg = null; try { cfg = config.Configs["OpenGridProtocol"]; @@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid { enabled = false; } + + try + { + httpcfg = config.Configs["Network"]; + } + catch (NullReferenceException) + { + + } + if (cfg != null) { enabled = cfg.GetBoolean("ogp_enabled", false); @@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid } } } + lock (m_scene) + { + if (m_scene.Count == 1) + { + if (httpcfg != null) + { + httpSSL = httpcfg.GetBoolean("http_listener_ssl", false); + httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName); + if (httpsCN.Length == 0) + httpsCN = scene.RegionInfo.ExternalHostName; + httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1)); + } + } + } // Of interest to this module potentially //scene.EventManager.OnNewClient += OnNewClient; //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage; @@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid // Get a reference to the user's cap so we can pull out the Caps Object Path OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID); + string rezHttpProtocol = "http://"; + string regionCapsHttpProtocol = "http://"; + string httpaddr = reg.ExternalHostName; + string urlport = reg.HttpPort.ToString(); + + + if (httpSSL) + { + rezHttpProtocol = "https://"; + + urlport = httpsslport.ToString(); + + if (httpsCN.Length > 0) + httpaddr = httpsCN; + } + + + // Be warned that the two following lines assume http not + // https since region caps are not implemented in https currently + // DEPRECIATED - responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); // REPLACEMENT - responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + - responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath); - responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath); + responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath); + responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath); // Add the user to the list of CAPS that are outstanding. // well allow the caps hosts in this dictionary -- cgit v1.1