diff --git a/OpenSim/Framework/NetworkServersInfo.cs b/OpenSim/Framework/NetworkServersInfo.cs index 43ec11ee18..9f3014d0d2 100644 --- a/OpenSim/Framework/NetworkServersInfo.cs +++ b/OpenSim/Framework/NetworkServersInfo.cs @@ -49,6 +49,9 @@ namespace OpenSim.Framework public string UserRecvKey = String.Empty; public string UserSendKey = String.Empty; public string UserURL = String.Empty; + public bool HttpUsesSSL = false; + public string HttpSSLCN = ""; + public uint httpSSLPort = 9001; public NetworkServersInfo() @@ -78,6 +81,10 @@ namespace OpenSim.Framework HttpListenerPort = (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort); + httpSSLPort = + (uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1)); + HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false); + HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", ""); RemotingListenerPort = (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort); GridURL = diff --git a/OpenSim/Framework/Servers/BaseHttpServer.cs b/OpenSim/Framework/Servers/BaseHttpServer.cs index 181eb927c6..6cf6744387 100644 --- a/OpenSim/Framework/Servers/BaseHttpServer.cs +++ b/OpenSim/Framework/Servers/BaseHttpServer.cs @@ -26,12 +26,14 @@ */ using System; +using System.Diagnostics; using System.Collections; using System.Collections.Generic; using System.IO; using System.Net; using System.Net.Sockets; using System.Reflection; +using System.Security.Cryptography.X509Certificates; using System.Text; using System.Threading; using System.Xml; @@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData; using log4net; using Nwc.XmlRpc; + namespace OpenSim.Framework.Servers { public class BaseHttpServer @@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers protected Dictionary m_agentHandlers = new Dictionary(); protected uint m_port; + protected uint m_sslport; protected bool m_ssl = false; protected bool m_firstcaps = true; + public uint SSLPort + { + get { return m_sslport; } + } public uint Port { get { return m_port; } @@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers { m_ssl = ssl; m_port = port; + } + public BaseHttpServer(uint port, bool ssl, uint sslport, string CN) + { + m_ssl = ssl; + m_port = port; + if (m_ssl) + { + bool result = SetupSsl((int)sslport, CN); + m_sslport = sslport; + } + } + + + + public bool SetupSsl(int port, string CN) + { + string searchCN = Environment.MachineName.ToUpper(); + + if (CN.Length > 0) + searchCN = CN.ToUpper(); + + Type t = Type.GetType("Mono.Runtime"); + if (t != null) + { + // TODO Mono User Friendly HTTPS setup + // if this doesn't exist, then mono people can still manually use httpcfg + } + else + { + // Windows. + // Search through the store for a certificate with a Common name specified in OpenSim.ini. + // We need to find it's hash so we can pass it to httpcfg + X509Store store = new X509Store(StoreLocation.LocalMachine); + //Use the first cert to configure Ssl + store.Open(OpenFlags.ReadOnly); + //Assumption is we have certs. If not then this call will fail :( + try + { + bool found = false; + //X509Certificate2.CreateFromCertFile("testCert.cer"); + + foreach (X509Certificate2 cert in store.Certificates) + { + String certHash = cert.GetCertHashString(); + //Only install certs issued for the machine and has the name as the machine name + if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0) + { + string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port); + try + { + found = true; + + ExecuteHttpcfgCommand(httpcfgparams); + + break; + } + catch (Exception e) + { + m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed. Do you have httpcfg.exe in your path? If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en. When you get it installed type, httpcfg {0}", httpcfgparams); + return false; + } + } + } + + if (!found) + { + m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN); + return false; + } + + } + catch (Exception e) + { + m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN); + return false; + } + finally + { + if (store != null) + { + store.Close(); + } + } + } + return true; + } + + private void ExecuteHttpcfgCommand(string p) + { + + string file = "httpcfg"; + + ProcessStartInfo info = new ProcessStartInfo(file, p); + // Redirect output so we can read it. + info.RedirectStandardOutput = true; + // To redirect, we must not use shell execute. + info.UseShellExecute = false; + + // Create and execute the process. + Process httpcfgprocess = Process.Start(info); + httpcfgprocess.Start(); + string result = httpcfgprocess.StandardOutput.ReadToEnd(); + if (result.Contains("HttpSetServiceConfiguration completed with")) + { + //success + + } + else + { + //fail + m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port. Message:{0}", result); + } + + } + + /// /// Add a stream handler to the http server. If the handler already exists, then nothing happens. /// @@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers } else { - m_httpListener.Prefixes.Add("https://+:" + m_port + "/"); + m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/"); + m_httpListener.Prefixes.Add("http://+:" + m_port + "/"); } m_httpListener.Start(); @@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers catch (Exception e) { m_log.Warn("[HTTPD]: Error - " + e.Message); - m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?"); + m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?"); } } diff --git a/OpenSim/Region/ClientStack/RegionApplicationBase.cs b/OpenSim/Region/ClientStack/RegionApplicationBase.cs index 8bb35c1992..469c0848f9 100644 --- a/OpenSim/Region/ClientStack/RegionApplicationBase.cs +++ b/OpenSim/Region/ClientStack/RegionApplicationBase.cs @@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack Initialize(); - m_httpServer = new BaseHttpServer(m_httpServerPort); + m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN); + if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort)) + { + m_log.Error("[HTTP]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports"); + } + m_log.Info("[REGION]: Starting HTTP server"); diff --git a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs index 6e37b95a48..68f35e8265 100644 --- a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs +++ b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs @@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid private Dictionary m_OGPState = new Dictionary(); private string LastNameSuffix = "_EXTERNAL"; private string FirstNamePrefix = ""; + private string httpsCN = ""; + private bool httpSSL = false; + private uint httpsslport = 0; #region IRegionModule Members @@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid { bool enabled = false; IConfig cfg = null; + IConfig httpcfg = null; try { cfg = config.Configs["OpenGridProtocol"]; @@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid { enabled = false; } + + try + { + httpcfg = config.Configs["Network"]; + } + catch (NullReferenceException) + { + + } + if (cfg != null) { enabled = cfg.GetBoolean("ogp_enabled", false); @@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid } } } + lock (m_scene) + { + if (m_scene.Count == 1) + { + if (httpcfg != null) + { + httpSSL = httpcfg.GetBoolean("http_listener_ssl", false); + httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName); + if (httpsCN.Length == 0) + httpsCN = scene.RegionInfo.ExternalHostName; + httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1)); + } + } + } // Of interest to this module potentially //scene.EventManager.OnNewClient += OnNewClient; //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage; @@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid // Get a reference to the user's cap so we can pull out the Caps Object Path OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID); + string rezHttpProtocol = "http://"; + string regionCapsHttpProtocol = "http://"; + string httpaddr = reg.ExternalHostName; + string urlport = reg.HttpPort.ToString(); + + + if (httpSSL) + { + rezHttpProtocol = "https://"; + + urlport = httpsslport.ToString(); + + if (httpsCN.Length > 0) + httpaddr = httpsCN; + } + + + // Be warned that the two following lines assume http not + // https since region caps are not implemented in https currently + // DEPRECIATED - responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); // REPLACEMENT - responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); + - responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath); - responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath); + responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath); + responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath); // Add the user to the list of CAPS that are outstanding. // well allow the caps hosts in this dictionary diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index 28a32cf025..eda5813701 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example @@ -169,6 +169,15 @@ dump_assets_to_file = false http_listener_port = 9000 remoting_listener_port = 8895 +; ssl config: Experimental! The auto https config only really works definately on windows XP now +; you need a Cert Request/Signed pair installed in the MY store with the CN specified below +; you can use https on other platforms, but you'll need to configure the httpapi yourself for now +http_listener_ssl = false ; Also create a SSL server +http_listener_cn = "localhost" ; Use the cert with the common name +http_listener_sslport = 9001 ; Use this port for SSL connections +http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer + + ; Uncomment below to enable llRemoteData/remote channels ; remoteDataPort = 20800 diff --git a/share/junkCA/CA.crt b/share/junkCA/CA.crt new file mode 100644 index 0000000000..8e2f099206 --- /dev/null +++ b/share/junkCA/CA.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD +VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp +dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV +BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg +VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx +MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI +EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl +blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl +MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3 +DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO +GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq +xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP +b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr +UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI +opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU +u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I +sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z +dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv +ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc +T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy +YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh +MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f +iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67 +aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM +eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas +e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC +-----END CERTIFICATE----- diff --git a/share/junkCA/CA.key b/share/junkCA/CA.key new file mode 100644 index 0000000000..59a7a5e179 --- /dev/null +++ b/share/junkCA/CA.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAsKUyMNNWOi4OyDZ5g6fShywtadFHYOGPVMdt9s3drTk6Yxe0 +J5RyDhioPIxOkomleDTwvZ0aoFQjjGuh+3K26/yK13E1KtGWMiBtO2ZG1G/uGjTS +S4f76sR49JF30ShsatUM45jTu5Hws0eL0LnSOBfx8Ohy9ryKkSN7DXqZ/o91SgiC +8ky0D29JiYuhH0Ys6i7SIEMGmjDdwIGVhfKwADTS3q85GCzO/rk+bEGF/7Bj4tes +fzYBa1HwiOgINkm7n4/FTjqdPJA8FWTau1a+OMvpdYCckj5yzGwa02/3q3PlCb+M +YFbESKKTCj/wxvs93kW8SnD2dIaT1iUuCYRtGwIDAQABAoIBAFNoXU+iqodkMgSl +fDEHMCg1WugpMjvzpXsRg8HSqQZfDEu36I/7zvMK/30/fuZAakpdLQNLSERGFlb6 +h4y0ON0q7OAXi1RBjFr05r7yZyVuCI6FPHr/pZrP1JEekuXG4ZJ8MM7S3b8mhPIS +KVmQNEvaOppXF9mbYw5vI25U4pvIljfAKZxkeU7aHb9asrnuBOwLjFRtLDTo13Nc +dHTT3X+G+74mU8rYTV3njAmh9iE+PmDlc2mJckS/0TqpJbZgFueCCBIK5iJSc7lO ++DFFgRcouvnCdZW9fp6/8Hz4FGa2TX6jsYj/H1dGWELioUOoBwkdqFP9JaBvd7ni +Nx2PObkCgYEA31rYJJ5jUiosf1I894MuEg2HWosXd0pVAPW3QjHdx7oiVUBRS5ZB +YAOy5zeleLckfWKJiE4z/5CMdsEM/Q9F0X2xg3TDhxUM7A4px0AXAsbyJT7AcE0O +kZBZjhluIF8O3Lic/LqzT39KgG35zvvd+H42Je1WvsCLSREL1MQDwCUCgYEAynak +x41uazl5UaDwL+mahIVW+n/Bko3e9BhD7ZRkLI2+R7y180Fw7dMmnxG/jVw7hotk +Ylx3Oa+JjnEplxTd1TShnP1aQ0nhnxnhS9EbIW8SjsazeK8V8zezJ54uZziVedgg +x/ISvQM0yPbvkrSo4mQEjl3q4DjmIyg5Nx+cVD8CgYBGD0vPKLOE2V+9zED9bnNs +DDxRxWFl9LX3KBwEsnmbpaIRVaxqZkY5ZM+gQU8xL1lNzzPOwqEC4Ad/VIzLcBf5 +X1DoKB8Q5yR3gvXN3yeYomjgD+/zCeiw9jNxJD7r/oU97NapW7LVE9t9r4F1UIHO +6V/4w5q7GNBX6fXpFlcK1QKBgQCYNbYP5/4ZUm4otiucea0W7//B94YZndr9+7gl +xqfA7xcca30G0i4KPfINKJSvu6VssyLW59kiXxu1INI5qRBVF2pg0f+oEsUyjYxZ +KW2SJyT2fd+zXT3NShTANiWAqIOHxLpwV0dLHjvy0eKukm9dNABQ376Sr3Qk/jp1 +fKhUlQKBgAj6o2lw0vLOuQmqV08YF/UFWN/TZAcBzDE353fypi16aqY35pYSvUez +64d1anTTwuq5fLGaQlH0XgGor/XbBqgif8eVyTRdfmA/2YQjwMIFyrWyxLpTiuiO +0P6lO4B9NCT2N/gDPomdlOfkA2g063C21CPa43lr8lGx8oaQW95W +-----END RSA PRIVATE KEY----- diff --git a/share/junkCA/CA.srl b/share/junkCA/CA.srl new file mode 100644 index 0000000000..ea34835075 --- /dev/null +++ b/share/junkCA/CA.srl @@ -0,0 +1 @@ +F10DF59AD0EE66E0 diff --git a/share/junkCA/CA2.pem b/share/junkCA/CA2.pem new file mode 100644 index 0000000000..8e2f099206 --- /dev/null +++ b/share/junkCA/CA2.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD +VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp +dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV +BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg +VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx +MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI +EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl +blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl +MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3 +DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO +GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq +xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP +b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr +UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI +opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU +u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I +sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z +dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv +ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc +T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy +YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh +MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f +iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67 +aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM +eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas +e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC +-----END CERTIFICATE----- diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt new file mode 100644 index 0000000000..0167ee1238 --- /dev/null +++ b/share/junkCA/Certificate commands OpenSSL.txt @@ -0,0 +1,82 @@ +To generate a cert request and sign it with the JunkCA + +REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! + +Generate a Host Key: + openssl genrsa -out host.key 2048 + +Generate a Certificate signing request with *OpenSSL*: + openssl req -new -nodes -key host.key -out host.csr + When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. + +Or you could; + +Generate a Certificate request with the *IIS Snapin*: + Go to Control Panel ---> Administrative tools ---> Internet Information Services + Pick a web site on your server. + right click, choose properties from the context menu + Go to the Directory Security tab + Click On the 'Server Certificate...' button + Click 'Prepare the request now, but send it later' and then follow the wizard. + Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert + +Sign the certificate request with the junkCA; +openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer + +Import it into your MY store on windows. + + If you used OpenSSL to generate the certificate; + openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" + server.crt is the signed cert from the CA. + server.key.unsecure is the *unencrypted* private key. + + You will be asked for a password, set this if you want. + + In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. + + In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. + + If you used the IIS Snap-in, + Go to Control Panel ---> Administrative tools ---> Internet Information Services + Pick a web site on your server. + right click, choose properties from the context menu + Go to the Directory Security tab + Click On the 'Server Certificate...' button + Choose the radio button that says, 'Assign an existing certificate' + + +Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. + httpcfg -add -port -pvk -cert MyCert + +After that, make sure to set-up your opensim.ini! + + +OpenSSL can be found: +http://www.slproweb.com/products/Win32OpenSSL.html + +httpcfg.exe for windowsXP can be found: +http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en + +Windows Vista users need to use netsh http! + +--------------------------------------------------- + +Additional notes + +To create your own CA + +openssl genrsa -out yourCA.key 2048 +openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt + +and the final step.. (AND THIS IS IMPORTANT) + +openssl x509 -in CA.crt -out yourCA.pem -outform PEM + +The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file +so that it can validate certificates that are generated from your CA. + +One last important thing! + +All users that connect with linden clients +using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about +their clock being wrong! diff --git a/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! b/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! new file mode 100644 index 0000000000..cab724a49b --- /dev/null +++ b/share/junkCA/This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! @@ -0,0 +1 @@ +This Folder contains Junk CA files and directions for signing with it. Comply with Export laws! \ No newline at end of file