From b51739e23ecc071a107755c7613ff274f65c3a64 Mon Sep 17 00:00:00 2001
From: UbitUmarov <ajlduarte@sapo.pt>
Date: Thu, 6 Oct 2016 21:35:11 +0100
Subject: [PATCH] recover regions main http server ssl suport. Using a PKCS12
 cert file, and not certs store for now. Option http_listener_cn, cert CN need
 to the same as external IP. Self sign certs do seem to work, but the viewers
 option NoVerifySLLCert needs to be set true. CA check is not done but they do
 check the IP

---
 OpenSim/Framework/NetworkServersInfo.cs       |  4 +++
 .../Servers/HttpServer/BaseHttpServer.cs      | 10 ++++++-
 OpenSim/Region/Application/OpenSimBase.cs     | 26 +++++++++++++++++--
 .../Application/RegionApplicationBase.cs      | 14 ++++++----
 .../Caps/EventQueue/Tests/EventQueueTests.cs  |  2 +-
 .../Shared/Tests/LSL_ApiHttpTests.cs          |  2 +-
 bin/OpenSimDefaults.ini                       | 11 ++++----
 7 files changed, 53 insertions(+), 16 deletions(-)

diff --git a/OpenSim/Framework/NetworkServersInfo.cs b/OpenSim/Framework/NetworkServersInfo.cs
index dfe9695abe..d79eb0dec9 100644
--- a/OpenSim/Framework/NetworkServersInfo.cs
+++ b/OpenSim/Framework/NetworkServersInfo.cs
@@ -37,6 +37,8 @@ namespace OpenSim.Framework
         public bool isSandbox;
         public bool HttpUsesSSL = false;
         public string HttpSSLCN = "";
+        public string HttpSSLCertPath = "";
+        public string HttpSSLCNCertPass = "";
         public uint httpSSLPort = 9001;
 
         // "Out of band" managemnt https
@@ -62,6 +64,8 @@ namespace OpenSim.Framework
                 (uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)ConfigSettings.DefaultRegionHttpPort+1));
             HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false);
             HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", "localhost");
+            HttpSSLCertPath = config.Configs["Network"].GetString("http_listener_cert_path", HttpSSLCertPath);
+            HttpSSLCNCertPass = config.Configs["Network"].GetString("http_listener_cert_pass", HttpSSLCNCertPass);
 
             // "Out of band management https"
             ssl_listener = config.Configs["Network"].GetBoolean("https_listener",false);
diff --git a/OpenSim/Framework/Servers/HttpServer/BaseHttpServer.cs b/OpenSim/Framework/Servers/HttpServer/BaseHttpServer.cs
index c078a730e4..29a8d3fd29 100644
--- a/OpenSim/Framework/Servers/HttpServer/BaseHttpServer.cs
+++ b/OpenSim/Framework/Servers/HttpServer/BaseHttpServer.cs
@@ -153,11 +153,19 @@ namespace OpenSim.Framework.Servers.HttpServer
             m_ssl = ssl;
         }
 
-        public BaseHttpServer(uint port, bool ssl, uint sslport, string CN) : this (port, ssl)
+        public BaseHttpServer(uint port, bool ssl, uint sslport, string CN, string CPath, string CPass) : this (port, ssl)
         {
             if (m_ssl)
             {
+                if(string.IsNullOrEmpty(CPass))
+                    throw new Exception("invalid main http server cert path");
+
                 m_sslport = sslport;
+                m_cert = new X509Certificate2(CPath, CPass);
+                m_SSLCommonName = m_cert.GetNameInfo(X509NameType.SimpleName,false);
+                if(CN != m_SSLCommonName)
+                    throw new Exception("main http server CN does not match cert CN");
+
             }
         }
 
diff --git a/OpenSim/Region/Application/OpenSimBase.cs b/OpenSim/Region/Application/OpenSimBase.cs
index 52ded3d055..62abf8ee6d 100644
--- a/OpenSim/Region/Application/OpenSimBase.cs
+++ b/OpenSim/Region/Application/OpenSimBase.cs
@@ -351,7 +351,18 @@ namespace OpenSim
             if (startupConfig == null || startupConfig.GetBoolean("JobEngineEnabled", true))
                 WorkManager.JobEngine.Start();
 
-            m_httpServerPort = m_networkServersInfo.HttpListenerPort;
+           
+            if(m_networkServersInfo.HttpUsesSSL)
+            {
+                m_httpServerSSL = true;
+                m_httpServerPort = m_networkServersInfo.httpSSLPort;
+            }
+            else
+            {
+                m_httpServerSSL = false;
+                m_httpServerPort = m_networkServersInfo.HttpListenerPort;
+            }
+
             SceneManager.OnRestartSim += HandleRestartRegion;
 
             // Only enable the watchdogs when all regions are ready.  Otherwise we get false positives when cpu is
@@ -404,7 +415,18 @@ namespace OpenSim
 
             // set initial ServerURI
             regionInfo.HttpPort = m_httpServerPort;
-            regionInfo.ServerURI = "http://" + regionInfo.ExternalHostName + ":" + regionInfo.HttpPort.ToString() + "/";
+            if(m_httpServerSSL)
+            {
+                if(m_networkServersInfo.HttpSSLCN != regionInfo.ExternalHostName)
+                    throw new Exception("main http cert CN doesn't match region External IP");
+
+                regionInfo.ServerURI = "https://" + regionInfo.ExternalHostName +
+                         ":" + regionInfo.HttpPort.ToString() + "/";
+            }
+            else
+                regionInfo.ServerURI = "http://" + regionInfo.ExternalHostName +
+                         ":" + regionInfo.HttpPort.ToString() + "/";
+
             
             regionInfo.osSecret = m_osSecret;
             
diff --git a/OpenSim/Region/Application/RegionApplicationBase.cs b/OpenSim/Region/Application/RegionApplicationBase.cs
index ba92fd6345..603f139ecb 100644
--- a/OpenSim/Region/Application/RegionApplicationBase.cs
+++ b/OpenSim/Region/Application/RegionApplicationBase.cs
@@ -50,6 +50,7 @@ namespace OpenSim
         protected Dictionary<EndPoint, uint> m_clientCircuits = new Dictionary<EndPoint, uint>();
         protected NetworkServersInfo m_networkServersInfo;
         protected uint m_httpServerPort;
+        protected bool m_httpServerSSL;
         protected ISimulationDataService m_simulationDataService;
         protected IEstateDataService m_estateDataService;
 
@@ -70,15 +71,18 @@ namespace OpenSim
 
             m_httpServer 
                 = new BaseHttpServer(
-                    m_httpServerPort, m_networkServersInfo.HttpUsesSSL, m_networkServersInfo.httpSSLPort, 
-                    m_networkServersInfo.HttpSSLCN);
-            
+                    m_httpServerPort, m_networkServersInfo.HttpUsesSSL,
+                        m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN,
+                        m_networkServersInfo.HttpSSLCertPath, m_networkServersInfo.HttpSSLCNCertPass);
+
+/* why this? we only run one            
             if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort))
             {
                 m_log.Error("[REGION SERVER]: HTTP Server config failed.   HTTP Server and HTTPS server must be on different ports");
             }
-
-            m_log.InfoFormat("[REGION SERVER]: Starting HTTP server on port {0}", m_httpServerPort);
+*/
+            m_log.InfoFormat("[REGION SERVER]: Starting HTTP{0} server on port {1}",
+                    m_networkServersInfo.HttpUsesSSL ? "S" : "", m_httpServerPort);
             m_httpServer.Start();
 
             MainServer.AddHttpServer(m_httpServer);
diff --git a/OpenSim/Region/ClientStack/Linden/Caps/EventQueue/Tests/EventQueueTests.cs b/OpenSim/Region/ClientStack/Linden/Caps/EventQueue/Tests/EventQueueTests.cs
index 5eb44520b9..507d9b8eef 100644
--- a/OpenSim/Region/ClientStack/Linden/Caps/EventQueue/Tests/EventQueueTests.cs
+++ b/OpenSim/Region/ClientStack/Linden/Caps/EventQueue/Tests/EventQueueTests.cs
@@ -65,7 +65,7 @@ namespace OpenSim.Region.ClientStack.Linden.Tests
             // variables and the VM is not restarted between tests.
             MainServer.RemoveHttpServer(port);
 
-            BaseHttpServer server = new BaseHttpServer(port, false, sslPort, "");
+            BaseHttpServer server = new BaseHttpServer(port, false, sslPort, "","","");
             MainServer.AddHttpServer(server);
             MainServer.Instance = server;
 
diff --git a/OpenSim/Region/ScriptEngine/Shared/Tests/LSL_ApiHttpTests.cs b/OpenSim/Region/ScriptEngine/Shared/Tests/LSL_ApiHttpTests.cs
index 30dc4cd4ae..1453204111 100644
--- a/OpenSim/Region/ScriptEngine/Shared/Tests/LSL_ApiHttpTests.cs
+++ b/OpenSim/Region/ScriptEngine/Shared/Tests/LSL_ApiHttpTests.cs
@@ -87,7 +87,7 @@ namespace OpenSim.Region.ScriptEngine.Shared.Tests
             uint port = 9999;
             MainServer.RemoveHttpServer(port);
 
-            BaseHttpServer server = new BaseHttpServer(port, false, 0, "");
+            BaseHttpServer server = new BaseHttpServer(port, false, 0, "", "", "");
             MainServer.AddHttpServer(server);
             MainServer.Instance = server;
 
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini
index 47257b23ca..418330ed5d 100644
--- a/bin/OpenSimDefaults.ini
+++ b/bin/OpenSimDefaults.ini
@@ -500,13 +500,12 @@
     http_listener_port = 9000
     console_port = 0
 
-    ; ssl config: Experimental!  The auto https config only really works definately on windows XP now
-    ; you need a Cert Request/Signed pair installed in the MY store with the CN specified below
-    ; you can use https on other platforms, but you'll need to configure the httpapi yourself for now
-    http_listener_ssl = false ; Also create a SSL server
-    http_listener_cn = "localhost" ; Use the cert with the common name
+    ; ssl config: Experimental!
+    http_listener_ssl = false ; if set to true main server is replaced a ssl one
     http_listener_sslport = 9001 ; Use this port for SSL connections
-    http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer
+    http_listener_cn = "myexternalip" ; // should be the External ip and match the CN on the cert
+    http_listener_cert_path = "mycert.p12" ; path for the cert file
+	http_listener_cert_pass = "mycertpass" ; the cert passwork
 
     ; HTTPS for "Out of band" management applications such as the remote 
     ; admin module