* This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes.

* There are still a lot of things that are hard coded to use http.   They need to be fixed.
* Also includes directions
* A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work
0.6.0-stable
Teravus Ovares 2008-09-14 18:39:17 +00:00
parent 4ba7ce5981
commit dbbbec48df
11 changed files with 373 additions and 7 deletions

View File

@ -49,6 +49,9 @@ namespace OpenSim.Framework
public string UserRecvKey = String.Empty; public string UserRecvKey = String.Empty;
public string UserSendKey = String.Empty; public string UserSendKey = String.Empty;
public string UserURL = String.Empty; public string UserURL = String.Empty;
public bool HttpUsesSSL = false;
public string HttpSSLCN = "";
public uint httpSSLPort = 9001;
public NetworkServersInfo() public NetworkServersInfo()
@ -78,6 +81,10 @@ namespace OpenSim.Framework
HttpListenerPort = HttpListenerPort =
(uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort); (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort);
httpSSLPort =
(uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1));
HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false);
HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", "");
RemotingListenerPort = RemotingListenerPort =
(uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort); (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort);
GridURL = GridURL =

View File

@ -26,12 +26,14 @@
*/ */
using System; using System;
using System.Diagnostics;
using System.Collections; using System.Collections;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO; using System.IO;
using System.Net; using System.Net;
using System.Net.Sockets; using System.Net.Sockets;
using System.Reflection; using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text; using System.Text;
using System.Threading; using System.Threading;
using System.Xml; using System.Xml;
@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData;
using log4net; using log4net;
using Nwc.XmlRpc; using Nwc.XmlRpc;
namespace OpenSim.Framework.Servers namespace OpenSim.Framework.Servers
{ {
public class BaseHttpServer public class BaseHttpServer
@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers
protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>(); protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>();
protected uint m_port; protected uint m_port;
protected uint m_sslport;
protected bool m_ssl = false; protected bool m_ssl = false;
protected bool m_firstcaps = true; protected bool m_firstcaps = true;
public uint SSLPort
{
get { return m_sslport; }
}
public uint Port public uint Port
{ {
get { return m_port; } get { return m_port; }
@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers
{ {
m_ssl = ssl; m_ssl = ssl;
m_port = port; m_port = port;
} }
public BaseHttpServer(uint port, bool ssl, uint sslport, string CN)
{
m_ssl = ssl;
m_port = port;
if (m_ssl)
{
bool result = SetupSsl((int)sslport, CN);
m_sslport = sslport;
}
}
public bool SetupSsl(int port, string CN)
{
string searchCN = Environment.MachineName.ToUpper();
if (CN.Length > 0)
searchCN = CN.ToUpper();
Type t = Type.GetType("Mono.Runtime");
if (t != null)
{
// TODO Mono User Friendly HTTPS setup
// if this doesn't exist, then mono people can still manually use httpcfg
}
else
{
// Windows.
// Search through the store for a certificate with a Common name specified in OpenSim.ini.
// We need to find it's hash so we can pass it to httpcfg
X509Store store = new X509Store(StoreLocation.LocalMachine);
//Use the first cert to configure Ssl
store.Open(OpenFlags.ReadOnly);
//Assumption is we have certs. If not then this call will fail :(
try
{
bool found = false;
//X509Certificate2.CreateFromCertFile("testCert.cer");
foreach (X509Certificate2 cert in store.Certificates)
{
String certHash = cert.GetCertHashString();
//Only install certs issued for the machine and has the name as the machine name
if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0)
{
string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port);
try
{
found = true;
ExecuteHttpcfgCommand(httpcfgparams);
break;
}
catch (Exception e)
{
m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed. Do you have httpcfg.exe in your path? If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en. When you get it installed type, httpcfg {0}", httpcfgparams);
return false;
}
}
}
if (!found)
{
m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN);
return false;
}
}
catch (Exception e)
{
m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store. Automatic HTTPS setup failed, you may have certificate errors. To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA. Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN);
return false;
}
finally
{
if (store != null)
{
store.Close();
}
}
}
return true;
}
private void ExecuteHttpcfgCommand(string p)
{
string file = "httpcfg";
ProcessStartInfo info = new ProcessStartInfo(file, p);
// Redirect output so we can read it.
info.RedirectStandardOutput = true;
// To redirect, we must not use shell execute.
info.UseShellExecute = false;
// Create and execute the process.
Process httpcfgprocess = Process.Start(info);
httpcfgprocess.Start();
string result = httpcfgprocess.StandardOutput.ReadToEnd();
if (result.Contains("HttpSetServiceConfiguration completed with"))
{
//success
}
else
{
//fail
m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port. Message:{0}", result);
}
}
/// <summary> /// <summary>
/// Add a stream handler to the http server. If the handler already exists, then nothing happens. /// Add a stream handler to the http server. If the handler already exists, then nothing happens.
/// </summary> /// </summary>
@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers
} }
else else
{ {
m_httpListener.Prefixes.Add("https://+:" + m_port + "/"); m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/");
m_httpListener.Prefixes.Add("http://+:" + m_port + "/");
} }
m_httpListener.Start(); m_httpListener.Start();
@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers
catch (Exception e) catch (Exception e)
{ {
m_log.Warn("[HTTPD]: Error - " + e.Message); m_log.Warn("[HTTPD]: Error - " + e.Message);
m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?"); m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?");
} }
} }

View File

@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack
Initialize(); Initialize();
m_httpServer = new BaseHttpServer(m_httpServerPort); m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN);
if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort))
{
m_log.Error("[HTTP]: HTTP Server config failed. HTTP Server and HTTPS server must be on different ports");
}
m_log.Info("[REGION]: Starting HTTP server"); m_log.Info("[REGION]: Starting HTTP server");

View File

@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>(); private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>();
private string LastNameSuffix = "_EXTERNAL"; private string LastNameSuffix = "_EXTERNAL";
private string FirstNamePrefix = ""; private string FirstNamePrefix = "";
private string httpsCN = "";
private bool httpSSL = false;
private uint httpsslport = 0;
#region IRegionModule Members #region IRegionModule Members
@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
{ {
bool enabled = false; bool enabled = false;
IConfig cfg = null; IConfig cfg = null;
IConfig httpcfg = null;
try try
{ {
cfg = config.Configs["OpenGridProtocol"]; cfg = config.Configs["OpenGridProtocol"];
@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
{ {
enabled = false; enabled = false;
} }
try
{
httpcfg = config.Configs["Network"];
}
catch (NullReferenceException)
{
}
if (cfg != null) if (cfg != null)
{ {
enabled = cfg.GetBoolean("ogp_enabled", false); enabled = cfg.GetBoolean("ogp_enabled", false);
@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
} }
} }
} }
lock (m_scene)
{
if (m_scene.Count == 1)
{
if (httpcfg != null)
{
httpSSL = httpcfg.GetBoolean("http_listener_ssl", false);
httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName);
if (httpsCN.Length == 0)
httpsCN = scene.RegionInfo.ExternalHostName;
httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1));
}
}
}
// Of interest to this module potentially // Of interest to this module potentially
//scene.EventManager.OnNewClient += OnNewClient; //scene.EventManager.OnNewClient += OnNewClient;
//scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage; //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage;
@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
// Get a reference to the user's cap so we can pull out the Caps Object Path // Get a reference to the user's cap so we can pull out the Caps Object Path
OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID); OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID);
string rezHttpProtocol = "http://";
string regionCapsHttpProtocol = "http://";
string httpaddr = reg.ExternalHostName;
string urlport = reg.HttpPort.ToString();
if (httpSSL)
{
rezHttpProtocol = "https://";
urlport = httpsslport.ToString();
if (httpsCN.Length > 0)
httpaddr = httpsCN;
}
// Be warned that the two following lines assume http not
// https since region caps are not implemented in https currently
// DEPRECIATED // DEPRECIATED
responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
// REPLACEMENT // REPLACEMENT
responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/"); responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath);
responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath); responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath);
responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath);
// Add the user to the list of CAPS that are outstanding. // Add the user to the list of CAPS that are outstanding.
// well allow the caps hosts in this dictionary // well allow the caps hosts in this dictionary

View File

@ -169,6 +169,15 @@ dump_assets_to_file = false
http_listener_port = 9000 http_listener_port = 9000
remoting_listener_port = 8895 remoting_listener_port = 8895
; ssl config: Experimental! The auto https config only really works definately on windows XP now
; you need a Cert Request/Signed pair installed in the MY store with the CN specified below
; you can use https on other platforms, but you'll need to configure the httpapi yourself for now
http_listener_ssl = false ; Also create a SSL server
http_listener_cn = "localhost" ; Use the cert with the common name
http_listener_sslport = 9001 ; Use this port for SSL connections
http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer
; Uncomment below to enable llRemoteData/remote channels ; Uncomment below to enable llRemoteData/remote channels
; remoteDataPort = 20800 ; remoteDataPort = 20800

30
share/junkCA/CA.crt Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
-----END CERTIFICATE-----

27
share/junkCA/CA.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsKUyMNNWOi4OyDZ5g6fShywtadFHYOGPVMdt9s3drTk6Yxe0
J5RyDhioPIxOkomleDTwvZ0aoFQjjGuh+3K26/yK13E1KtGWMiBtO2ZG1G/uGjTS
S4f76sR49JF30ShsatUM45jTu5Hws0eL0LnSOBfx8Ohy9ryKkSN7DXqZ/o91SgiC
8ky0D29JiYuhH0Ys6i7SIEMGmjDdwIGVhfKwADTS3q85GCzO/rk+bEGF/7Bj4tes
fzYBa1HwiOgINkm7n4/FTjqdPJA8FWTau1a+OMvpdYCckj5yzGwa02/3q3PlCb+M
YFbESKKTCj/wxvs93kW8SnD2dIaT1iUuCYRtGwIDAQABAoIBAFNoXU+iqodkMgSl
fDEHMCg1WugpMjvzpXsRg8HSqQZfDEu36I/7zvMK/30/fuZAakpdLQNLSERGFlb6
h4y0ON0q7OAXi1RBjFr05r7yZyVuCI6FPHr/pZrP1JEekuXG4ZJ8MM7S3b8mhPIS
KVmQNEvaOppXF9mbYw5vI25U4pvIljfAKZxkeU7aHb9asrnuBOwLjFRtLDTo13Nc
dHTT3X+G+74mU8rYTV3njAmh9iE+PmDlc2mJckS/0TqpJbZgFueCCBIK5iJSc7lO
+DFFgRcouvnCdZW9fp6/8Hz4FGa2TX6jsYj/H1dGWELioUOoBwkdqFP9JaBvd7ni
Nx2PObkCgYEA31rYJJ5jUiosf1I894MuEg2HWosXd0pVAPW3QjHdx7oiVUBRS5ZB
YAOy5zeleLckfWKJiE4z/5CMdsEM/Q9F0X2xg3TDhxUM7A4px0AXAsbyJT7AcE0O
kZBZjhluIF8O3Lic/LqzT39KgG35zvvd+H42Je1WvsCLSREL1MQDwCUCgYEAynak
x41uazl5UaDwL+mahIVW+n/Bko3e9BhD7ZRkLI2+R7y180Fw7dMmnxG/jVw7hotk
Ylx3Oa+JjnEplxTd1TShnP1aQ0nhnxnhS9EbIW8SjsazeK8V8zezJ54uZziVedgg
x/ISvQM0yPbvkrSo4mQEjl3q4DjmIyg5Nx+cVD8CgYBGD0vPKLOE2V+9zED9bnNs
DDxRxWFl9LX3KBwEsnmbpaIRVaxqZkY5ZM+gQU8xL1lNzzPOwqEC4Ad/VIzLcBf5
X1DoKB8Q5yR3gvXN3yeYomjgD+/zCeiw9jNxJD7r/oU97NapW7LVE9t9r4F1UIHO
6V/4w5q7GNBX6fXpFlcK1QKBgQCYNbYP5/4ZUm4otiucea0W7//B94YZndr9+7gl
xqfA7xcca30G0i4KPfINKJSvu6VssyLW59kiXxu1INI5qRBVF2pg0f+oEsUyjYxZ
KW2SJyT2fd+zXT3NShTANiWAqIOHxLpwV0dLHjvy0eKukm9dNABQ376Sr3Qk/jp1
fKhUlQKBgAj6o2lw0vLOuQmqV08YF/UFWN/TZAcBzDE353fypi16aqY35pYSvUez
64d1anTTwuq5fLGaQlH0XgGor/XbBqgif8eVyTRdfmA/2YQjwMIFyrWyxLpTiuiO
0P6lO4B9NCT2N/gDPomdlOfkA2g063C21CPa43lr8lGx8oaQW95W
-----END RSA PRIVATE KEY-----

1
share/junkCA/CA.srl Normal file
View File

@ -0,0 +1 @@
F10DF59AD0EE66E0

30
share/junkCA/CA2.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
-----END CERTIFICATE-----

View File

@ -0,0 +1,82 @@
To generate a cert request and sign it with the JunkCA
REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect!
Generate a Host Key:
openssl genrsa -out host.key 2048
Generate a Certificate signing request with *OpenSSL*:
openssl req -new -nodes -key host.key -out host.csr
When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on.
Or you could;
Generate a Certificate request with the *IIS Snapin*:
Go to Control Panel ---> Administrative tools ---> Internet Information Services
Pick a web site on your server.
right click, choose properties from the context menu
Go to the Directory Security tab
Click On the 'Server Certificate...' button
Click 'Prepare the request now, but send it later' and then follow the wizard.
Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert
Sign the certificate request with the junkCA;
openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer
Import it into your MY store on windows.
If you used OpenSSL to generate the certificate;
openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert"
server.crt is the signed cert from the CA.
server.key.unsecure is the *unencrypted* private key.
You will be asked for a password, set this if you want.
In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.
In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.
If you used the IIS Snap-in,
Go to Control Panel ---> Administrative tools ---> Internet Information Services
Pick a web site on your server.
right click, choose properties from the context menu
Go to the Directory Security tab
Click On the 'Server Certificate...' button
Choose the radio button that says, 'Assign an existing certificate'
Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder.
httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert
After that, make sure to set-up your opensim.ini!
OpenSSL can be found:
http://www.slproweb.com/products/Win32OpenSSL.html
httpcfg.exe for windowsXP can be found:
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
Windows Vista users need to use netsh http!
---------------------------------------------------
Additional notes
To create your own CA
openssl genrsa -out yourCA.key 2048
openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt
and the final step.. (AND THIS IS IMPORTANT)
openssl x509 -in CA.crt -out yourCA.pem -outform PEM
The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file
so that it can validate certificates that are generated from your CA.
One last important thing!
All users that connect with linden clients
using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about
their clock being wrong!

View File

@ -0,0 +1 @@
This Folder contains Junk CA files and directions for signing with it. Comply with Export laws!