* This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes.
* There are still a lot of things that are hard coded to use http. They need to be fixed. * Also includes directions * A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work0.6.0-stable
parent
4ba7ce5981
commit
dbbbec48df
|
@ -49,6 +49,9 @@ namespace OpenSim.Framework
|
||||||
public string UserRecvKey = String.Empty;
|
public string UserRecvKey = String.Empty;
|
||||||
public string UserSendKey = String.Empty;
|
public string UserSendKey = String.Empty;
|
||||||
public string UserURL = String.Empty;
|
public string UserURL = String.Empty;
|
||||||
|
public bool HttpUsesSSL = false;
|
||||||
|
public string HttpSSLCN = "";
|
||||||
|
public uint httpSSLPort = 9001;
|
||||||
|
|
||||||
|
|
||||||
public NetworkServersInfo()
|
public NetworkServersInfo()
|
||||||
|
@ -78,6 +81,10 @@ namespace OpenSim.Framework
|
||||||
|
|
||||||
HttpListenerPort =
|
HttpListenerPort =
|
||||||
(uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort);
|
(uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort);
|
||||||
|
httpSSLPort =
|
||||||
|
(uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1));
|
||||||
|
HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false);
|
||||||
|
HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", "");
|
||||||
RemotingListenerPort =
|
RemotingListenerPort =
|
||||||
(uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort);
|
(uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort);
|
||||||
GridURL =
|
GridURL =
|
||||||
|
|
|
@ -26,12 +26,14 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
using System.Collections;
|
using System.Collections;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using System.IO;
|
using System.IO;
|
||||||
using System.Net;
|
using System.Net;
|
||||||
using System.Net.Sockets;
|
using System.Net.Sockets;
|
||||||
using System.Reflection;
|
using System.Reflection;
|
||||||
|
using System.Security.Cryptography.X509Certificates;
|
||||||
using System.Text;
|
using System.Text;
|
||||||
using System.Threading;
|
using System.Threading;
|
||||||
using System.Xml;
|
using System.Xml;
|
||||||
|
@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData;
|
||||||
using log4net;
|
using log4net;
|
||||||
using Nwc.XmlRpc;
|
using Nwc.XmlRpc;
|
||||||
|
|
||||||
|
|
||||||
namespace OpenSim.Framework.Servers
|
namespace OpenSim.Framework.Servers
|
||||||
{
|
{
|
||||||
public class BaseHttpServer
|
public class BaseHttpServer
|
||||||
|
@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers
|
||||||
protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>();
|
protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>();
|
||||||
|
|
||||||
protected uint m_port;
|
protected uint m_port;
|
||||||
|
protected uint m_sslport;
|
||||||
protected bool m_ssl = false;
|
protected bool m_ssl = false;
|
||||||
protected bool m_firstcaps = true;
|
protected bool m_firstcaps = true;
|
||||||
|
|
||||||
|
public uint SSLPort
|
||||||
|
{
|
||||||
|
get { return m_sslport; }
|
||||||
|
}
|
||||||
public uint Port
|
public uint Port
|
||||||
{
|
{
|
||||||
get { return m_port; }
|
get { return m_port; }
|
||||||
|
@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers
|
||||||
{
|
{
|
||||||
m_ssl = ssl;
|
m_ssl = ssl;
|
||||||
m_port = port;
|
m_port = port;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public BaseHttpServer(uint port, bool ssl, uint sslport, string CN)
|
||||||
|
{
|
||||||
|
m_ssl = ssl;
|
||||||
|
m_port = port;
|
||||||
|
if (m_ssl)
|
||||||
|
{
|
||||||
|
bool result = SetupSsl((int)sslport, CN);
|
||||||
|
m_sslport = sslport;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
public bool SetupSsl(int port, string CN)
|
||||||
|
{
|
||||||
|
string searchCN = Environment.MachineName.ToUpper();
|
||||||
|
|
||||||
|
if (CN.Length > 0)
|
||||||
|
searchCN = CN.ToUpper();
|
||||||
|
|
||||||
|
Type t = Type.GetType("Mono.Runtime");
|
||||||
|
if (t != null)
|
||||||
|
{
|
||||||
|
// TODO Mono User Friendly HTTPS setup
|
||||||
|
// if this doesn't exist, then mono people can still manually use httpcfg
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// Windows.
|
||||||
|
// Search through the store for a certificate with a Common name specified in OpenSim.ini.
|
||||||
|
// We need to find it's hash so we can pass it to httpcfg
|
||||||
|
X509Store store = new X509Store(StoreLocation.LocalMachine);
|
||||||
|
//Use the first cert to configure Ssl
|
||||||
|
store.Open(OpenFlags.ReadOnly);
|
||||||
|
//Assumption is we have certs. If not then this call will fail :(
|
||||||
|
try
|
||||||
|
{
|
||||||
|
bool found = false;
|
||||||
|
//X509Certificate2.CreateFromCertFile("testCert.cer");
|
||||||
|
|
||||||
|
foreach (X509Certificate2 cert in store.Certificates)
|
||||||
|
{
|
||||||
|
String certHash = cert.GetCertHashString();
|
||||||
|
//Only install certs issued for the machine and has the name as the machine name
|
||||||
|
if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0)
|
||||||
|
{
|
||||||
|
string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port);
|
||||||
|
try
|
||||||
|
{
|
||||||
|
found = true;
|
||||||
|
|
||||||
|
ExecuteHttpcfgCommand(httpcfgparams);
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed. Do you have httpcfg.exe in your path? If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en. When you get it installed type, httpcfg {0}", httpcfgparams);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!found)
|
||||||
|
{
|
||||||
|
m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
finally
|
||||||
|
{
|
||||||
|
if (store != null)
|
||||||
|
{
|
||||||
|
store.Close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void ExecuteHttpcfgCommand(string p)
|
||||||
|
{
|
||||||
|
|
||||||
|
string file = "httpcfg";
|
||||||
|
|
||||||
|
ProcessStartInfo info = new ProcessStartInfo(file, p);
|
||||||
|
// Redirect output so we can read it.
|
||||||
|
info.RedirectStandardOutput = true;
|
||||||
|
// To redirect, we must not use shell execute.
|
||||||
|
info.UseShellExecute = false;
|
||||||
|
|
||||||
|
// Create and execute the process.
|
||||||
|
Process httpcfgprocess = Process.Start(info);
|
||||||
|
httpcfgprocess.Start();
|
||||||
|
string result = httpcfgprocess.StandardOutput.ReadToEnd();
|
||||||
|
if (result.Contains("HttpSetServiceConfiguration completed with"))
|
||||||
|
{
|
||||||
|
//success
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
//fail
|
||||||
|
m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port. Message:{0}", result);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Add a stream handler to the http server. If the handler already exists, then nothing happens.
|
/// Add a stream handler to the http server. If the handler already exists, then nothing happens.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
m_httpListener.Prefixes.Add("https://+:" + m_port + "/");
|
m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/");
|
||||||
|
m_httpListener.Prefixes.Add("http://+:" + m_port + "/");
|
||||||
}
|
}
|
||||||
m_httpListener.Start();
|
m_httpListener.Start();
|
||||||
|
|
||||||
|
@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers
|
||||||
catch (Exception e)
|
catch (Exception e)
|
||||||
{
|
{
|
||||||
m_log.Warn("[HTTPD]: Error - " + e.Message);
|
m_log.Warn("[HTTPD]: Error - " + e.Message);
|
||||||
m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?");
|
m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack
|
||||||
|
|
||||||
Initialize();
|
Initialize();
|
||||||
|
|
||||||
m_httpServer = new BaseHttpServer(m_httpServerPort);
|
m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN);
|
||||||
|
if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort))
|
||||||
|
{
|
||||||
|
m_log.Error("[HTTP]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
m_log.Info("[REGION]: Starting HTTP server");
|
m_log.Info("[REGION]: Starting HTTP server");
|
||||||
|
|
||||||
|
|
|
@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
|
||||||
private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>();
|
private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>();
|
||||||
private string LastNameSuffix = "_EXTERNAL";
|
private string LastNameSuffix = "_EXTERNAL";
|
||||||
private string FirstNamePrefix = "";
|
private string FirstNamePrefix = "";
|
||||||
|
private string httpsCN = "";
|
||||||
|
private bool httpSSL = false;
|
||||||
|
private uint httpsslport = 0;
|
||||||
|
|
||||||
#region IRegionModule Members
|
#region IRegionModule Members
|
||||||
|
|
||||||
|
@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
|
||||||
{
|
{
|
||||||
bool enabled = false;
|
bool enabled = false;
|
||||||
IConfig cfg = null;
|
IConfig cfg = null;
|
||||||
|
IConfig httpcfg = null;
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
cfg = config.Configs["OpenGridProtocol"];
|
cfg = config.Configs["OpenGridProtocol"];
|
||||||
|
@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
|
||||||
{
|
{
|
||||||
enabled = false;
|
enabled = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
httpcfg = config.Configs["Network"];
|
||||||
|
}
|
||||||
|
catch (NullReferenceException)
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (cfg != null)
|
if (cfg != null)
|
||||||
{
|
{
|
||||||
enabled = cfg.GetBoolean("ogp_enabled", false);
|
enabled = cfg.GetBoolean("ogp_enabled", false);
|
||||||
|
@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
lock (m_scene)
|
||||||
|
{
|
||||||
|
if (m_scene.Count == 1)
|
||||||
|
{
|
||||||
|
if (httpcfg != null)
|
||||||
|
{
|
||||||
|
httpSSL = httpcfg.GetBoolean("http_listener_ssl", false);
|
||||||
|
httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName);
|
||||||
|
if (httpsCN.Length == 0)
|
||||||
|
httpsCN = scene.RegionInfo.ExternalHostName;
|
||||||
|
httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
// Of interest to this module potentially
|
// Of interest to this module potentially
|
||||||
//scene.EventManager.OnNewClient += OnNewClient;
|
//scene.EventManager.OnNewClient += OnNewClient;
|
||||||
//scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage;
|
//scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage;
|
||||||
|
@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
|
||||||
// Get a reference to the user's cap so we can pull out the Caps Object Path
|
// Get a reference to the user's cap so we can pull out the Caps Object Path
|
||||||
OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID);
|
OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID);
|
||||||
|
|
||||||
|
string rezHttpProtocol = "http://";
|
||||||
|
string regionCapsHttpProtocol = "http://";
|
||||||
|
string httpaddr = reg.ExternalHostName;
|
||||||
|
string urlport = reg.HttpPort.ToString();
|
||||||
|
|
||||||
|
|
||||||
|
if (httpSSL)
|
||||||
|
{
|
||||||
|
rezHttpProtocol = "https://";
|
||||||
|
|
||||||
|
urlport = httpsslport.ToString();
|
||||||
|
|
||||||
|
if (httpsCN.Length > 0)
|
||||||
|
httpaddr = httpsCN;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Be warned that the two following lines assume http not
|
||||||
|
// https since region caps are not implemented in https currently
|
||||||
|
|
||||||
// DEPRECIATED
|
// DEPRECIATED
|
||||||
responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
|
responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
|
||||||
|
|
||||||
// REPLACEMENT
|
// REPLACEMENT
|
||||||
responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
|
responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
|
||||||
|
|
||||||
responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath);
|
|
||||||
responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath);
|
responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath);
|
||||||
|
responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath);
|
||||||
|
|
||||||
// Add the user to the list of CAPS that are outstanding.
|
// Add the user to the list of CAPS that are outstanding.
|
||||||
// well allow the caps hosts in this dictionary
|
// well allow the caps hosts in this dictionary
|
||||||
|
|
|
@ -169,6 +169,15 @@ dump_assets_to_file = false
|
||||||
http_listener_port = 9000
|
http_listener_port = 9000
|
||||||
remoting_listener_port = 8895
|
remoting_listener_port = 8895
|
||||||
|
|
||||||
|
; ssl config: Experimental! The auto https config only really works definately on windows XP now
|
||||||
|
; you need a Cert Request/Signed pair installed in the MY store with the CN specified below
|
||||||
|
; you can use https on other platforms, but you'll need to configure the httpapi yourself for now
|
||||||
|
http_listener_ssl = false ; Also create a SSL server
|
||||||
|
http_listener_cn = "localhost" ; Use the cert with the common name
|
||||||
|
http_listener_sslport = 9001 ; Use this port for SSL connections
|
||||||
|
http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer
|
||||||
|
|
||||||
|
|
||||||
; Uncomment below to enable llRemoteData/remote channels
|
; Uncomment below to enable llRemoteData/remote channels
|
||||||
; remoteDataPort = 20800
|
; remoteDataPort = 20800
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
|
||||||
|
VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
|
||||||
|
dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
|
||||||
|
BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
|
||||||
|
VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
|
||||||
|
MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
|
||||||
|
EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
|
||||||
|
blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
|
||||||
|
MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
|
||||||
|
DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||||
|
ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
|
||||||
|
GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
|
||||||
|
xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
|
||||||
|
b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
|
||||||
|
UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
|
||||||
|
opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
|
||||||
|
u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
|
||||||
|
sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
|
||||||
|
dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
|
||||||
|
ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
|
||||||
|
T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
|
||||||
|
YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
|
||||||
|
DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
|
||||||
|
MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
|
||||||
|
iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
|
||||||
|
aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
|
||||||
|
eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
|
||||||
|
e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,27 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAsKUyMNNWOi4OyDZ5g6fShywtadFHYOGPVMdt9s3drTk6Yxe0
|
||||||
|
J5RyDhioPIxOkomleDTwvZ0aoFQjjGuh+3K26/yK13E1KtGWMiBtO2ZG1G/uGjTS
|
||||||
|
S4f76sR49JF30ShsatUM45jTu5Hws0eL0LnSOBfx8Ohy9ryKkSN7DXqZ/o91SgiC
|
||||||
|
8ky0D29JiYuhH0Ys6i7SIEMGmjDdwIGVhfKwADTS3q85GCzO/rk+bEGF/7Bj4tes
|
||||||
|
fzYBa1HwiOgINkm7n4/FTjqdPJA8FWTau1a+OMvpdYCckj5yzGwa02/3q3PlCb+M
|
||||||
|
YFbESKKTCj/wxvs93kW8SnD2dIaT1iUuCYRtGwIDAQABAoIBAFNoXU+iqodkMgSl
|
||||||
|
fDEHMCg1WugpMjvzpXsRg8HSqQZfDEu36I/7zvMK/30/fuZAakpdLQNLSERGFlb6
|
||||||
|
h4y0ON0q7OAXi1RBjFr05r7yZyVuCI6FPHr/pZrP1JEekuXG4ZJ8MM7S3b8mhPIS
|
||||||
|
KVmQNEvaOppXF9mbYw5vI25U4pvIljfAKZxkeU7aHb9asrnuBOwLjFRtLDTo13Nc
|
||||||
|
dHTT3X+G+74mU8rYTV3njAmh9iE+PmDlc2mJckS/0TqpJbZgFueCCBIK5iJSc7lO
|
||||||
|
+DFFgRcouvnCdZW9fp6/8Hz4FGa2TX6jsYj/H1dGWELioUOoBwkdqFP9JaBvd7ni
|
||||||
|
Nx2PObkCgYEA31rYJJ5jUiosf1I894MuEg2HWosXd0pVAPW3QjHdx7oiVUBRS5ZB
|
||||||
|
YAOy5zeleLckfWKJiE4z/5CMdsEM/Q9F0X2xg3TDhxUM7A4px0AXAsbyJT7AcE0O
|
||||||
|
kZBZjhluIF8O3Lic/LqzT39KgG35zvvd+H42Je1WvsCLSREL1MQDwCUCgYEAynak
|
||||||
|
x41uazl5UaDwL+mahIVW+n/Bko3e9BhD7ZRkLI2+R7y180Fw7dMmnxG/jVw7hotk
|
||||||
|
Ylx3Oa+JjnEplxTd1TShnP1aQ0nhnxnhS9EbIW8SjsazeK8V8zezJ54uZziVedgg
|
||||||
|
x/ISvQM0yPbvkrSo4mQEjl3q4DjmIyg5Nx+cVD8CgYBGD0vPKLOE2V+9zED9bnNs
|
||||||
|
DDxRxWFl9LX3KBwEsnmbpaIRVaxqZkY5ZM+gQU8xL1lNzzPOwqEC4Ad/VIzLcBf5
|
||||||
|
X1DoKB8Q5yR3gvXN3yeYomjgD+/zCeiw9jNxJD7r/oU97NapW7LVE9t9r4F1UIHO
|
||||||
|
6V/4w5q7GNBX6fXpFlcK1QKBgQCYNbYP5/4ZUm4otiucea0W7//B94YZndr9+7gl
|
||||||
|
xqfA7xcca30G0i4KPfINKJSvu6VssyLW59kiXxu1INI5qRBVF2pg0f+oEsUyjYxZ
|
||||||
|
KW2SJyT2fd+zXT3NShTANiWAqIOHxLpwV0dLHjvy0eKukm9dNABQ376Sr3Qk/jp1
|
||||||
|
fKhUlQKBgAj6o2lw0vLOuQmqV08YF/UFWN/TZAcBzDE353fypi16aqY35pYSvUez
|
||||||
|
64d1anTTwuq5fLGaQlH0XgGor/XbBqgif8eVyTRdfmA/2YQjwMIFyrWyxLpTiuiO
|
||||||
|
0P6lO4B9NCT2N/gDPomdlOfkA2g063C21CPa43lr8lGx8oaQW95W
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1 @@
|
||||||
|
F10DF59AD0EE66E0
|
|
@ -0,0 +1,30 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
|
||||||
|
VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
|
||||||
|
dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
|
||||||
|
BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
|
||||||
|
VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
|
||||||
|
MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
|
||||||
|
EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
|
||||||
|
blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
|
||||||
|
MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
|
||||||
|
DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||||
|
ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
|
||||||
|
GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
|
||||||
|
xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
|
||||||
|
b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
|
||||||
|
UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
|
||||||
|
opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
|
||||||
|
u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
|
||||||
|
sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
|
||||||
|
dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
|
||||||
|
ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
|
||||||
|
T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
|
||||||
|
YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
|
||||||
|
DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
|
||||||
|
MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
|
||||||
|
iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
|
||||||
|
aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
|
||||||
|
eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
|
||||||
|
e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,82 @@
|
||||||
|
To generate a cert request and sign it with the JunkCA
|
||||||
|
|
||||||
|
REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect!
|
||||||
|
|
||||||
|
Generate a Host Key:
|
||||||
|
openssl genrsa -out host.key 2048
|
||||||
|
|
||||||
|
Generate a Certificate signing request with *OpenSSL*:
|
||||||
|
openssl req -new -nodes -key host.key -out host.csr
|
||||||
|
When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on.
|
||||||
|
|
||||||
|
Or you could;
|
||||||
|
|
||||||
|
Generate a Certificate request with the *IIS Snapin*:
|
||||||
|
Go to Control Panel ---> Administrative tools ---> Internet Information Services
|
||||||
|
Pick a web site on your server.
|
||||||
|
right click, choose properties from the context menu
|
||||||
|
Go to the Directory Security tab
|
||||||
|
Click On the 'Server Certificate...' button
|
||||||
|
Click 'Prepare the request now, but send it later' and then follow the wizard.
|
||||||
|
Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert
|
||||||
|
|
||||||
|
Sign the certificate request with the junkCA;
|
||||||
|
openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer
|
||||||
|
|
||||||
|
Import it into your MY store on windows.
|
||||||
|
|
||||||
|
If you used OpenSSL to generate the certificate;
|
||||||
|
openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert"
|
||||||
|
server.crt is the signed cert from the CA.
|
||||||
|
server.key.unsecure is the *unencrypted* private key.
|
||||||
|
|
||||||
|
You will be asked for a password, set this if you want.
|
||||||
|
|
||||||
|
In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.
|
||||||
|
|
||||||
|
In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.
|
||||||
|
|
||||||
|
If you used the IIS Snap-in,
|
||||||
|
Go to Control Panel ---> Administrative tools ---> Internet Information Services
|
||||||
|
Pick a web site on your server.
|
||||||
|
right click, choose properties from the context menu
|
||||||
|
Go to the Directory Security tab
|
||||||
|
Click On the 'Server Certificate...' button
|
||||||
|
Choose the radio button that says, 'Assign an existing certificate'
|
||||||
|
|
||||||
|
|
||||||
|
Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder.
|
||||||
|
httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert
|
||||||
|
|
||||||
|
After that, make sure to set-up your opensim.ini!
|
||||||
|
|
||||||
|
|
||||||
|
OpenSSL can be found:
|
||||||
|
http://www.slproweb.com/products/Win32OpenSSL.html
|
||||||
|
|
||||||
|
httpcfg.exe for windowsXP can be found:
|
||||||
|
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
|
||||||
|
|
||||||
|
Windows Vista users need to use netsh http!
|
||||||
|
|
||||||
|
---------------------------------------------------
|
||||||
|
|
||||||
|
Additional notes
|
||||||
|
|
||||||
|
To create your own CA
|
||||||
|
|
||||||
|
openssl genrsa -out yourCA.key 2048
|
||||||
|
openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt
|
||||||
|
|
||||||
|
and the final step.. (AND THIS IS IMPORTANT)
|
||||||
|
|
||||||
|
openssl x509 -in CA.crt -out yourCA.pem -outform PEM
|
||||||
|
|
||||||
|
The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file
|
||||||
|
so that it can validate certificates that are generated from your CA.
|
||||||
|
|
||||||
|
One last important thing!
|
||||||
|
|
||||||
|
All users that connect with linden clients
|
||||||
|
using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about
|
||||||
|
their clock being wrong!
|
|
@ -0,0 +1 @@
|
||||||
|
This Folder contains Junk CA files and directions for signing with it. Comply with Export laws!
|
Loading…
Reference in New Issue