OpenSim
/
OpenSimMirror
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.

httptests
UbitUmarov 2016-12-07 13:30:07 +00:00
parent 049dd374e9
commit 3a81642d97
6 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
OpenSim/Framework/Servers/BaseOpenSimServer.cs
View File

@ -33,6 +33,9 @@ using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Timers;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using log4net;
using log4net.Appender;
using log4net.Core;
@ -86,6 +89,26 @@ namespace OpenSim.Framework.Servers
m_osSecret = UUID.Random().ToString();
}
private static bool m_NoVerifyCertChain = false;
private static bool m_NoVerifyCertHostname = false;
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (m_NoVerifyCertChain)
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
if (m_NoVerifyCertHostname)
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
return false;
}
/// <summary>
/// Must be overriden by child classes for their own server specific startup behaviour.
/// </summary>
@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
RegisterCommonComponents(Config);
IConfig startupConfig = Config.Configs["Startup"];
m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);

2
OpenSim/Server/ServerMain.cs
View File

@ -79,6 +79,7 @@ namespace OpenSim.Server
// Make sure we don't get outbound connections queueing
ServicePointManager.DefaultConnectionLimit = 50;
ServicePointManager.UseNagleAlgorithm = false;
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
@ -94,7 +95,6 @@ namespace OpenSim.Server
m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
string connList = serverConfig.GetString("ServiceConnectors", String.Empty);

13
bin/OpenSim.ini.example
View File

@ -296,6 +296,19 @@
; TelehubAllowLandmark = false
;; SSL certificate validation options
;; used also on contacting other peers that require SSL and we don't
;; you should set this to false forcing all peers (like regions) to have valid certificates
;; but you can allow selfsigned certificates or no official CA with next option true
;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
; NoVerifyCertChain = true
;; you can also bypass the hostname or domain verification
;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
; NoVerifyCertHostname = true
;; having both options true does provide encriptation, but low security
;; possible enought for small grids, specially it not comercial
[AccessControl]
;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
;; Bar (|) separated list of viewers which may gain access to the regions.

13
bin/OpenSimDefaults.ini
View File

@ -402,6 +402,19 @@
; default is false
; TelehubAllowLandmark = false
; #
; # SSL certificates validation options
; #
; SSL certificate validation options
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true
; NoVerifyCertChain = true
; you can also bypass the hostname or domain verification
; NoVerifyCertHostname = true
; having both options true does provide encriptation, but low security
; possible enought for small grids, specially it not comercial
[Map]
; Map tile options.

1
bin/Robust.HG.ini.example
View File

@ -71,6 +71,7 @@
ConsoleHistoryFileLines = 100
; peers SSL certificate validation options (if using ssl)
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true
NoVerifyCertChain = true

10
bin/Robust.ini.example
View File

@ -62,6 +62,16 @@
; How many lines of command history should we keep? (default is 100)
ConsoleHistoryFileLines = 100
; peers SSL certificate validation options
; used also on contacting other peers that require SSL and we don't
; you should set this to false forcing all peers (like regions) to have valid certificates
; but you can allow selfsigned certificates or no official CA with next option true
NoVerifyCertChain = true
; you can also bypass the hostname or domain verification
NoVerifyCertHostname = true
; having both options true does provide encriptation, but low security
; possible enought for small grids, specially it not comercial
[ServiceList]
AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
InventoryInConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:XInventoryInConnector"