recover regions main http server ssl suport. Using a PKCS12 cert file, and not certs store for now. Option http_listener_cn, cert CN need to the same as external IP. Self sign certs do seem to work, but the viewers option NoVerifySLLCert needs to be set true. CA check is not done but they do check the IP

httptests
UbitUmarov 2016-10-06 21:35:11 +01:00
parent db1e75b0ac
commit b51739e23e
7 changed files with 53 additions and 16 deletions

View File

@ -37,6 +37,8 @@ namespace OpenSim.Framework
public bool isSandbox;
public bool HttpUsesSSL = false;
public string HttpSSLCN = "";
public string HttpSSLCertPath = "";
public string HttpSSLCNCertPass = "";
public uint httpSSLPort = 9001;
// "Out of band" managemnt https
@ -62,6 +64,8 @@ namespace OpenSim.Framework
(uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)ConfigSettings.DefaultRegionHttpPort+1));
HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false);
HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", "localhost");
HttpSSLCertPath = config.Configs["Network"].GetString("http_listener_cert_path", HttpSSLCertPath);
HttpSSLCNCertPass = config.Configs["Network"].GetString("http_listener_cert_pass", HttpSSLCNCertPass);
// "Out of band management https"
ssl_listener = config.Configs["Network"].GetBoolean("https_listener",false);

View File

@ -153,11 +153,19 @@ namespace OpenSim.Framework.Servers.HttpServer
m_ssl = ssl;
}
public BaseHttpServer(uint port, bool ssl, uint sslport, string CN) : this (port, ssl)
public BaseHttpServer(uint port, bool ssl, uint sslport, string CN, string CPath, string CPass) : this (port, ssl)
{
if (m_ssl)
{
if(string.IsNullOrEmpty(CPass))
throw new Exception("invalid main http server cert path");
m_sslport = sslport;
m_cert = new X509Certificate2(CPath, CPass);
m_SSLCommonName = m_cert.GetNameInfo(X509NameType.SimpleName,false);
if(CN != m_SSLCommonName)
throw new Exception("main http server CN does not match cert CN");
}
}

View File

@ -351,7 +351,18 @@ namespace OpenSim
if (startupConfig == null || startupConfig.GetBoolean("JobEngineEnabled", true))
WorkManager.JobEngine.Start();
m_httpServerPort = m_networkServersInfo.HttpListenerPort;
if(m_networkServersInfo.HttpUsesSSL)
{
m_httpServerSSL = true;
m_httpServerPort = m_networkServersInfo.httpSSLPort;
}
else
{
m_httpServerSSL = false;
m_httpServerPort = m_networkServersInfo.HttpListenerPort;
}
SceneManager.OnRestartSim += HandleRestartRegion;
// Only enable the watchdogs when all regions are ready. Otherwise we get false positives when cpu is
@ -404,7 +415,18 @@ namespace OpenSim
// set initial ServerURI
regionInfo.HttpPort = m_httpServerPort;
regionInfo.ServerURI = "http://" + regionInfo.ExternalHostName + ":" + regionInfo.HttpPort.ToString() + "/";
if(m_httpServerSSL)
{
if(m_networkServersInfo.HttpSSLCN != regionInfo.ExternalHostName)
throw new Exception("main http cert CN doesn't match region External IP");
regionInfo.ServerURI = "https://" + regionInfo.ExternalHostName +
":" + regionInfo.HttpPort.ToString() + "/";
}
else
regionInfo.ServerURI = "http://" + regionInfo.ExternalHostName +
":" + regionInfo.HttpPort.ToString() + "/";
regionInfo.osSecret = m_osSecret;

View File

@ -50,6 +50,7 @@ namespace OpenSim
protected Dictionary<EndPoint, uint> m_clientCircuits = new Dictionary<EndPoint, uint>();
protected NetworkServersInfo m_networkServersInfo;
protected uint m_httpServerPort;
protected bool m_httpServerSSL;
protected ISimulationDataService m_simulationDataService;
protected IEstateDataService m_estateDataService;
@ -70,15 +71,18 @@ namespace OpenSim
m_httpServer
= new BaseHttpServer(
m_httpServerPort, m_networkServersInfo.HttpUsesSSL, m_networkServersInfo.httpSSLPort,
m_networkServersInfo.HttpSSLCN);
m_httpServerPort, m_networkServersInfo.HttpUsesSSL,
m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN,
m_networkServersInfo.HttpSSLCertPath, m_networkServersInfo.HttpSSLCNCertPass);
/* why this? we only run one
if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort))
{
m_log.Error("[REGION SERVER]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports");
}
m_log.InfoFormat("[REGION SERVER]: Starting HTTP server on port {0}", m_httpServerPort);
*/
m_log.InfoFormat("[REGION SERVER]: Starting HTTP{0} server on port {1}",
m_networkServersInfo.HttpUsesSSL ? "S" : "", m_httpServerPort);
m_httpServer.Start();
MainServer.AddHttpServer(m_httpServer);

View File

@ -65,7 +65,7 @@ namespace OpenSim.Region.ClientStack.Linden.Tests
// variables and the VM is not restarted between tests.
MainServer.RemoveHttpServer(port);
BaseHttpServer server = new BaseHttpServer(port, false, sslPort, "");
BaseHttpServer server = new BaseHttpServer(port, false, sslPort, "","","");
MainServer.AddHttpServer(server);
MainServer.Instance = server;

View File

@ -87,7 +87,7 @@ namespace OpenSim.Region.ScriptEngine.Shared.Tests
uint port = 9999;
MainServer.RemoveHttpServer(port);
BaseHttpServer server = new BaseHttpServer(port, false, 0, "");
BaseHttpServer server = new BaseHttpServer(port, false, 0, "", "", "");
MainServer.AddHttpServer(server);
MainServer.Instance = server;

View File

@ -500,13 +500,12 @@
http_listener_port = 9000
console_port = 0
; ssl config: Experimental! The auto https config only really works definately on windows XP now
; you need a Cert Request/Signed pair installed in the MY store with the CN specified below
; you can use https on other platforms, but you'll need to configure the httpapi yourself for now
http_listener_ssl = false ; Also create a SSL server
http_listener_cn = "localhost" ; Use the cert with the common name
; ssl config: Experimental!
http_listener_ssl = false ; if set to true main server is replaced a ssl one
http_listener_sslport = 9001 ; Use this port for SSL connections
http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer
http_listener_cn = "myexternalip" ; // should be the External ip and match the CN on the cert
http_listener_cert_path = "mycert.p12" ; path for the cert file
http_listener_cert_pass = "mycertpass" ; the cert passwork
; HTTPS for "Out of band" management applications such as the remote
; admin module