add SSL certs validation options for regions to allow simple encriptation without any peer autentification using simple homemade (or even shared) certs.
parent
049dd374e9
commit
3a81642d97
|
@ -33,6 +33,9 @@ using System.Text;
|
|||
using System.Text.RegularExpressions;
|
||||
using System.Threading;
|
||||
using System.Timers;
|
||||
using System.Net;
|
||||
using System.Net.Security;
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
using log4net;
|
||||
using log4net.Appender;
|
||||
using log4net.Core;
|
||||
|
@ -85,7 +88,27 @@ namespace OpenSim.Framework.Servers
|
|||
// Random uuid for private data
|
||||
m_osSecret = UUID.Random().ToString();
|
||||
}
|
||||
|
||||
|
||||
private static bool m_NoVerifyCertChain = false;
|
||||
private static bool m_NoVerifyCertHostname = false;
|
||||
|
||||
public static bool ValidateServerCertificate(
|
||||
object sender,
|
||||
X509Certificate certificate,
|
||||
X509Chain chain,
|
||||
SslPolicyErrors sslPolicyErrors)
|
||||
{
|
||||
if (m_NoVerifyCertChain)
|
||||
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
|
||||
|
||||
if (m_NoVerifyCertHostname)
|
||||
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNameMismatch;
|
||||
|
||||
if (sslPolicyErrors == SslPolicyErrors.None)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
/// <summary>
|
||||
/// Must be overriden by child classes for their own server specific startup behaviour.
|
||||
/// </summary>
|
||||
|
@ -96,6 +119,11 @@ namespace OpenSim.Framework.Servers
|
|||
RegisterCommonComponents(Config);
|
||||
|
||||
IConfig startupConfig = Config.Configs["Startup"];
|
||||
|
||||
m_NoVerifyCertChain = startupConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
|
||||
m_NoVerifyCertHostname = startupConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
|
||||
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
||||
|
||||
int logShowStatsSeconds = startupConfig.GetInt("LogShowStatsSeconds", m_periodDiagnosticTimerMS / 1000);
|
||||
m_periodDiagnosticTimerMS = logShowStatsSeconds * 1000;
|
||||
m_periodicDiagnosticsTimer.Elapsed += new ElapsedEventHandler(LogDiagnostics);
|
||||
|
|
|
@ -79,6 +79,7 @@ namespace OpenSim.Server
|
|||
// Make sure we don't get outbound connections queueing
|
||||
ServicePointManager.DefaultConnectionLimit = 50;
|
||||
ServicePointManager.UseNagleAlgorithm = false;
|
||||
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
||||
|
||||
m_Server = new HttpServerBase("R.O.B.U.S.T.", args);
|
||||
|
||||
|
@ -94,7 +95,6 @@ namespace OpenSim.Server
|
|||
m_NoVerifyCertChain = serverConfig.GetBoolean("NoVerifyCertChain", m_NoVerifyCertChain);
|
||||
m_NoVerifyCertHostname = serverConfig.GetBoolean("NoVerifyCertHostname", m_NoVerifyCertHostname);
|
||||
|
||||
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
|
||||
|
||||
string connList = serverConfig.GetString("ServiceConnectors", String.Empty);
|
||||
|
||||
|
|
|
@ -295,6 +295,19 @@
|
|||
;; default is false
|
||||
; TelehubAllowLandmark = false
|
||||
|
||||
|
||||
;; SSL certificate validation options
|
||||
;; used also on contacting other peers that require SSL and we don't
|
||||
;; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||
;; but you can allow selfsigned certificates or no official CA with next option true
|
||||
;# {NoVerifyCertChain} {} {do not verify SSL Cert Chain} {true false} true
|
||||
; NoVerifyCertChain = true
|
||||
|
||||
;; you can also bypass the hostname or domain verification
|
||||
;# {NoVerifyCertHostname} {} {do not verify SSL Cert name versus peer name} {true false} true
|
||||
; NoVerifyCertHostname = true
|
||||
;; having both options true does provide encriptation, but low security
|
||||
;; possible enought for small grids, specially it not comercial
|
||||
|
||||
[AccessControl]
|
||||
;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
|
||||
|
|
|
@ -401,7 +401,20 @@
|
|||
; routing and land at the landmark coordinates when set to true
|
||||
; default is false
|
||||
; TelehubAllowLandmark = false
|
||||
|
||||
|
||||
; #
|
||||
; # SSL certificates validation options
|
||||
; #
|
||||
|
||||
; SSL certificate validation options
|
||||
; used also on contacting other peers that require SSL and we don't
|
||||
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||
; but you can allow selfsigned certificates or no official CA with next option true
|
||||
; NoVerifyCertChain = true
|
||||
; you can also bypass the hostname or domain verification
|
||||
; NoVerifyCertHostname = true
|
||||
; having both options true does provide encriptation, but low security
|
||||
; possible enought for small grids, specially it not comercial
|
||||
|
||||
[Map]
|
||||
; Map tile options.
|
||||
|
|
|
@ -71,6 +71,7 @@
|
|||
ConsoleHistoryFileLines = 100
|
||||
|
||||
; peers SSL certificate validation options (if using ssl)
|
||||
; used also on contacting other peers that require SSL and we don't
|
||||
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||
; but you can allow selfsigned certificates or no official CA with next option true
|
||||
NoVerifyCertChain = true
|
||||
|
|
|
@ -61,6 +61,16 @@
|
|||
|
||||
; How many lines of command history should we keep? (default is 100)
|
||||
ConsoleHistoryFileLines = 100
|
||||
|
||||
; peers SSL certificate validation options
|
||||
; used also on contacting other peers that require SSL and we don't
|
||||
; you should set this to false forcing all peers (like regions) to have valid certificates
|
||||
; but you can allow selfsigned certificates or no official CA with next option true
|
||||
NoVerifyCertChain = true
|
||||
; you can also bypass the hostname or domain verification
|
||||
NoVerifyCertHostname = true
|
||||
; having both options true does provide encriptation, but low security
|
||||
; possible enought for small grids, specially it not comercial
|
||||
|
||||
[ServiceList]
|
||||
AssetServiceConnector = "${Const|PrivatePort}/OpenSim.Server.Handlers.dll:AssetServiceConnector"
|
||||
|
|
Loading…
Reference in New Issue