add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.

httptests
UbitUmarov 2016-12-07 13:30:07 +00:00
parent 049dd374e9
commit 3a81642d97
6 changed files with 68 additions and 3 deletions

View File

@ -33,6 +33,9 @@ using System.Text;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
using System.Threading; using System.Threading;
using System.Timers; using System.Timers;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using log4net; using log4net;
using log4net.Appender; using log4net.Appender;
using log4net.Core; using log4net.Core;
@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
// Random uuid for private data // Random uuid for private data
m_osSecret = UUID.Random().ToString(); m_osSecret = UUID.Random().ToString();
} }
private static bool m_NoVerifyCertChain = false;
private static bool m_NoVerifyCertHostname = false;
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (m_NoVerifyCertChain)
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
if (m_NoVerifyCertHostname)
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
return false;
}
/// <summary> /// <summary>
/// Must be overriden by child classes for their own server specific startup behaviour. /// Must be overriden by child classes for their own server specific startup behaviour.
/// </summary> /// </summary>
@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
RegisterCommonComponents(Config); RegisterCommonComponents(Config);
IConfig startupConfig = Config.Configs["Startup"]; IConfig startupConfig = Config.Configs["Startup"];
m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000); int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000; m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics); m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);

View File

@ -79,6 +79,7 @@ namespace OpenSim.Server
// Make sure we don't get outbound connections queueing // Make sure we don't get outbound connections queueing
ServicePointManager.DefaultConnectionLimit = 50; ServicePointManager.DefaultConnectionLimit = 50;
ServicePointManager.UseNagleAlgorithm = false; ServicePointManager.UseNagleAlgorithm = false;
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
m_Server = new HttpServerBase("R.O.B.U.S.T.", args); m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
@ -94,7 +95,6 @@ namespace OpenSim.Server
m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain); m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname); m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
string connList = serverConfig.GetString("ServiceConnectors", String.Empty); string connList = serverConfig.GetString("ServiceConnectors", String.Empty);

View File

@ -295,6 +295,19 @@
;; default is false ;; default is false
; TelehubAllowLandmark = false ; TelehubAllowLandmark = false
;; SSL certificate validation options
;; used also on contacting other peers that require SSL and we don't
;; you should set this to false forcing all peers (like regions) to have valid certificates
;; but you can allow selfsigned certificates or no official CA with next option true
;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
; NoVerifyCertChain = true
;; you can also bypass the hostname or domain verification
;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
; NoVerifyCertHostname = true
;; having both options true does provide encriptation, but low security
;; possible enought for small grids, specially it not comercial
[AccessControl] [AccessControl]
;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {} ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}

View File

@ -401,7 +401,20 @@
; routing and land at the landmark coordinates when set to true ; routing and land at the landmark coordinates when set to true
; default is false ; default is false
; TelehubAllowLandmark = false ; TelehubAllowLandmark = false
; #
; # SSL certificates validation options
; #
; SSL certificate validation options
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true
; NoVerifyCertChain = true
; you can also bypass the hostname or domain verification
; NoVerifyCertHostname = true
; having both options true does provide encriptation, but low security
; possible enought for small grids, specially it not comercial
[Map] [Map]
; Map tile options. ; Map tile options.

View File

@ -71,6 +71,7 @@
ConsoleHistoryFileLines = 100 ConsoleHistoryFileLines = 100
; peers SSL certificate validation options (if using ssl) ; peers SSL certificate validation options (if using ssl)
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates ; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true ; but you can allow selfsigned certificates or no official CA with next option true
NoVerifyCertChain = true NoVerifyCertChain = true

View File

@ -61,6 +61,16 @@
; How many lines of command history should we keep? (default is 100) ; How many lines of command history should we keep? (default is 100)
ConsoleHistoryFileLines = 100 ConsoleHistoryFileLines = 100
; peers SSL certificate validation options
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true
NoVerifyCertChain = true
; you can also bypass the hostname or domain verification
NoVerifyCertHostname = true
; having both options true does provide encriptation, but low security
; possible enought for small grids, specially it not comercial
[ServiceList] [ServiceList]
AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector" AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"