add SSL certs validation options for robust to allow simple certificates, possible only for encriptation without any peer autentification. disable validation by default for the small grids case

2016-12-07 12:23:40 +00:00 · 2016-12-07 12:23:40 +00:00 · 049dd374e9
parent 4993a08d25
commit 049dd374e9
2 changed files with 36 additions and 0 deletions
--- a/OpenSim/Server/ServerMain.cs
+++ b/OpenSim/Server/ServerMain.cs
@ -30,6 +30,8 @@ using log4net;
 using System.Reflection;
 using System;
 using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 using System.Collections.Generic;
 using OpenSim.Framework.Servers;
 using OpenSim.Framework.Servers.HttpServer;
@ -51,6 +53,26 @@ namespace OpenSim.Server
                new List<IServiceConnector>();

        protected static PluginLoader loader;
+        private static bool m_NoVerifyCertChain = false;
+        private static bool m_NoVerifyCertHostname = false;
+
+        public static bool ValidateServerCertificate(
+            object sender,
+            X509Certificate certificate,
+            X509Chain chain,
+            SslPolicyErrors sslPolicyErrors)
+        {
+            if (m_NoVerifyCertChain)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
+ 
+            if (m_NoVerifyCertHostname)
+                sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
+
+            if (sslPolicyErrors == SslPolicyErrors.None)
+                return true;
+
+            return false;
+        }

        public static int Main(string[] args)
        {
@ -69,6 +91,11 @@ namespace OpenSim.Server
                throw new Exception("Configuration error");
            }

+            m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
+            m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
+
+            ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
+
            string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
            
            registryLocation = serverConfig.GetString("RegistryLocation",".");
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@ -70,6 +70,15 @@
    ; How many lines of command history should we keep? (default is 100)
    ConsoleHistoryFileLines = 100

+    ; peers SSL certificate validation options (if using ssl)
+    ; you should set this to false forcing all peers (like regions) to have valid certificates
+    ; but you can allow selfsigned certificates or no official CA with next option true
+    NoVerifyCertChain = true
+    ; you can also bypass the hostname or domain verification
+    NoVerifyCertHostname = true
+    ; having both options true does provide encriptation, but low security
+    ; possible enought for small grids, specially it not comercial
+    

 [ServiceList]
    AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"