add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.
parent
049dd374e9
commit
3a81642d97
|
@ -33,6 +33,9 @@ using System.Text;
|
||||||
using System.Text.RegularExpressions;
|
using System.Text.RegularExpressions;
|
||||||
using System.Threading;
|
using System.Threading;
|
||||||
using System.Timers;
|
using System.Timers;
|
||||||
|
using System.Net;
|
||||||
|
using System.Net.Security;
|
||||||
|
using System.Security.Cryptography.X509Certificates;
|
||||||
using log4net;
|
using log4net;
|
||||||
using log4net.Appender;
|
using log4net.Appender;
|
||||||
using log4net.Core;
|
using log4net.Core;
|
||||||
|
@ -86,6 +89,26 @@ namespace OpenSim.Framework.Servers
|
||||||
m_osSecret = UUID.Random().ToString();
|
m_osSecret = UUID.Random().ToString();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static bool m_NoVerifyCertChain = false;
|
||||||
|
private static bool m_NoVerifyCertHostname = false;
|
||||||
|
|
||||||
|
public static bool ValidateServerCertificate(
|
||||||
|
object sender,
|
||||||
|
X509Certificate certificate,
|
||||||
|
X509Chain chain,
|
||||||
|
SslPolicyErrors sslPolicyErrors)
|
||||||
|
{
|
||||||
|
if (m_NoVerifyCertChain)
|
||||||
|
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
|
||||||
|
|
||||||
|
if (m_NoVerifyCertHostname)
|
||||||
|
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
|
||||||
|
|
||||||
|
if (sslPolicyErrors == SslPolicyErrors.None)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Must be overriden by child classes for their own server specific startup behaviour.
|
/// Must be overriden by child classes for their own server specific startup behaviour.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
|
||||||
RegisterCommonComponents(Config);
|
RegisterCommonComponents(Config);
|
||||||
|
|
||||||
IConfig startupConfig = Config.Configs["Startup"];
|
IConfig startupConfig = Config.Configs["Startup"];
|
||||||
|
|
||||||
|
m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
|
||||||
|
m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
|
||||||
|
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
||||||
|
|
||||||
int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
|
int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
|
||||||
m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
|
m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
|
||||||
m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
|
m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
|
||||||
|
|
|
@ -79,6 +79,7 @@ namespace OpenSim.Server
|
||||||
// Make sure we don't get outbound connections queueing
|
// Make sure we don't get outbound connections queueing
|
||||||
ServicePointManager.DefaultConnectionLimit = 50;
|
ServicePointManager.DefaultConnectionLimit = 50;
|
||||||
ServicePointManager.UseNagleAlgorithm = false;
|
ServicePointManager.UseNagleAlgorithm = false;
|
||||||
|
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
||||||
|
|
||||||
m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
|
m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
|
||||||
|
|
||||||
|
@ -94,7 +95,6 @@ namespace OpenSim.Server
|
||||||
m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
|
m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
|
||||||
m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
|
m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
|
||||||
|
|
||||||
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
|
||||||
|
|
||||||
string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
|
string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
|
||||||
|
|
||||||
|
|
|
@ -296,6 +296,19 @@
|
||||||
; TelehubAllowLandmark = false
|
; TelehubAllowLandmark = false
|
||||||
|
|
||||||
|
|
||||||
|
;; SSL certificate validation options
|
||||||
|
;; used also on contacting other peers that require SSL and we don't
|
||||||
|
;; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||||
|
;; but you can allow selfsigned certificates or no official CA with next option true
|
||||||
|
;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
|
||||||
|
; NoVerifyCertChain = true
|
||||||
|
|
||||||
|
;; you can also bypass the hostname or domain verification
|
||||||
|
;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
|
||||||
|
; NoVerifyCertHostname = true
|
||||||
|
;; having both options true does provide encriptation, but low security
|
||||||
|
;; possible enought for small grids, specially it not comercial
|
||||||
|
|
||||||
[AccessControl]
|
[AccessControl]
|
||||||
;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
|
;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
|
||||||
;; Bar (|) separated list of viewers which may gain access to the regions.
|
;; Bar (|) separated list of viewers which may gain access to the regions.
|
||||||
|
|
|
@ -402,6 +402,19 @@
|
||||||
; default is false
|
; default is false
|
||||||
; TelehubAllowLandmark = false
|
; TelehubAllowLandmark = false
|
||||||
|
|
||||||
|
; #
|
||||||
|
; # SSL certificates validation options
|
||||||
|
; #
|
||||||
|
|
||||||
|
; SSL certificate validation options
|
||||||
|
; used also on contacting other peers that require SSL and we don't
|
||||||
|
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||||
|
; but you can allow selfsigned certificates or no official CA with next option true
|
||||||
|
; NoVerifyCertChain = true
|
||||||
|
; you can also bypass the hostname or domain verification
|
||||||
|
; NoVerifyCertHostname = true
|
||||||
|
; having both options true does provide encriptation, but low security
|
||||||
|
; possible enought for small grids, specially it not comercial
|
||||||
|
|
||||||
[Map]
|
[Map]
|
||||||
; Map tile options.
|
; Map tile options.
|
||||||
|
|
|
@ -71,6 +71,7 @@
|
||||||
ConsoleHistoryFileLines = 100
|
ConsoleHistoryFileLines = 100
|
||||||
|
|
||||||
; peers SSL certificate validation options (if using ssl)
|
; peers SSL certificate validation options (if using ssl)
|
||||||
|
; used also on contacting other peers that require SSL and we don't
|
||||||
; you should set this to false forcing all peers (like regions) to have valid certificates
|
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||||
; but you can allow selfsigned certificates or no official CA with next option true
|
; but you can allow selfsigned certificates or no official CA with next option true
|
||||||
NoVerifyCertChain = true
|
NoVerifyCertChain = true
|
||||||
|
|
|
@ -62,6 +62,16 @@
|
||||||
; How many lines of command history should we keep? (default is 100)
|
; How many lines of command history should we keep? (default is 100)
|
||||||
ConsoleHistoryFileLines = 100
|
ConsoleHistoryFileLines = 100
|
||||||
|
|
||||||
|
; peers SSL certificate validation options
|
||||||
|
; used also on contacting other peers that require SSL and we don't
|
||||||
|
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||||
|
; but you can allow selfsigned certificates or no official CA with next option true
|
||||||
|
NoVerifyCertChain = true
|
||||||
|
; you can also bypass the hostname or domain verification
|
||||||
|
NoVerifyCertHostname = true
|
||||||
|
; having both options true does provide encriptation, but low security
|
||||||
|
; possible enought for small grids, specially it not comercial
|
||||||
|
|
||||||
[ServiceList]
|
[ServiceList]
|
||||||
AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
|
AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
|
||||||
InventoryInConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:XInventoryInConnector"
|
InventoryInConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:XInventoryInConnector"
|
||||||
|
|
Loading…
Reference in New Issue