[Opensim-dev] Question about https login authentication

AJLDuarte ajlduarte at sapo.pt
Fri Jun 22 13:02:37 UTC 2018 

Hi,
	Opensim git branch httptests does have a somewhat improved https support.
	Its possible to run a region with SSL, but at the moment that most likely will collide with money modules or lsl secureURL
	A few services will only have unsecure connection also.
	Robust still does not have https support.
	"work in progress" and with very low priority at the moment :(

	httptests can be retrieved for our git repo.
	git clone git://opensimulator.org/git/Opensim
	cd Opensim
	git checkout httptests
	...

	You can also see it at http://opensimulator.org/viewgit/?a=shortlog&p=opensim&h=refs/heads/httptests
	Note that it requires .net4.6 and on linux latest stable mono.

	Most new dev work is currently done on this branch, because "reasons"

	Collaboration with viewer dev teams is always welcome, in fact much needed.
	Not happening that much, well "reasons"...

Ubit

 


-----Original Message-----
From: opensim-dev-bounces at opensimulator.org [mailto:opensim-dev-bounces at opensimulator.org] On Behalf Of Cinder Roxley
Sent: Friday, June 22, 2018 13:26
To: opensim-dev at opensimulator.org
Subject: Re: [Opensim-dev] Question about https login authentication

Have you tried logging in with a client besides Firestorm? Singularity or
Alchemy, for example. The hop:// URI scheme Firestorm relies on does not
support TLS connections.

As far as sending the password as plaintext, you would need to modify the
viewer as it sends the password as an MD5 hash.

Negotiating the password hashing mechanism between viewer and login service
would be an interesting project to work on if anyone is interested in
working on it with me. Storing passwords as MD5 is woefully insecure in
this day and age. (Is using MD5 for sensitive data even PCI compliant?)

On June 22, 2018 at 6:48:47 AM, Sebastián Castillo Carrión (
scastillop at gmail.com) wrote:

Hello everyone !

I'm Sebastian, and I work at the University of Malaga (Spain), and among
other things I develop code for opensim.

At the University we use a single user account to give access to all the
University services via ldap, so we need to integrate ldap in the
authentication process of opensim.

The ldap authentication more or less we know how to do it, but we need to
establish a secure https connection between the client and the server for
the login process, instead of http, since ldap calls require passing the
password without applying md5.

I have seen that there is a multitude of options ssl and https in the
configuration of opensim, but I get the impression that they are not
designed for the login process, only for "out of band" applications: I have
tried these options without success in the login; I think the reason is not
an incorrect configuration, because when I load in a web browser https: //
ip: 8003 (https_main = true) or https: // ip: 9080 (https_listener = true),
the browser asks me to accept the certificate . However, I can not log in
from the firestorm client, it is as if the server did not exist, seems the
client request get lost.

I have run the server in debug mode from visual studio to see what code is
running in those cases. Executing the server in debug mode from Visual
Studio, I see that the listener server on port 8003 is created correctly,
and pass the certificate, password and ssl mode as parameter, and in case
of defining another listening port using the https_listener options = true,
http_port = ..., the service is also created correctly; however, the logins
from firestorm seem to not reach opensim, since I have defined breakpoints
of the code that would be activated when the server receives a call, and
doing tests I see that they are only activated when the calls are made from
a web browser, but not from the firestorm client.

Another attempt I have made is to modify the code so that the listening
service is created on port 8002 with https (in the original code no matter
what settings are assigned to https variables in configuration files, seems
listener service in port 8002 is always http); as in the previous case, the
https request to port 8002 does arrive when it is done from a web browser,
but not from the firestorm client.

My impressions are that https is supported only for communications of
internal services of the server, and additional listener ports for "out of
the bands" applications, but not for the login authentication, where only
http is supported.

Do you know if it is necessary to modify the Opensim code to add login
support by https?

Do you know if it is necessary to modify the firestorm code to add login
support by https?


_______________________________________________
Opensim-dev mailing list
Opensim-dev at opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
Opensim-dev at opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev

More information about the Opensim-dev mailing list