[Opensim-dev] Question about https login authentication

Sebastián Castillo Carrión scastillop at gmail.com
Thu Jun 28 14:44:36 UTC 2018 

 Thank you, I have tested Singularity and Alchemy, and both of them works.
 
 Because I am using a self-signed certificate made by me for testing purposes, I have made changes in the file settings.xml to avoid verify SSL certificates, on the contrary, login would fail raising the error "peer certificate cannot be authenticated with given ca certificates":
 
 C:\Program Files\[Singularity or Alchemy]\app_settings\settings.xml
 ______________________________
 ...
  <key>NoVerifySSLCert</key>
     <map>
       <key>Comment</key>
       <string>Do not verify SSL certificates. WARNING: Setting this to TRUE allows anyone to impersonate the server and intercept your data (man in the middle attack).</string>
       <key>Persist</key>
       <integer>1</integer>
       <key>Type</key>
       <string>Boolean</string>
       <key>Value</key>
       <integer>1</integer> <=== Changed from value 0 to value 1
     </map>
 ...
 ______________________________
 
 After making this modification, it seems that login authentication is sucessful.
 
 
 
> On Fri, 22 Jun 2018 08:26:29 -0400
> Cinder Roxley <cinder at alchemyviewer.org> wrote:
> 
> > Have you tried logging in with a client besides Firestorm? Singularity or
> > Alchemy, for example. The hop:// URI scheme Firestorm relies on does not
> > support TLS connections.
> > 
> > As far as sending the password as plaintext, you would need to modify the
> > viewer as it sends the password as an MD5 hash.
> > 
> > Negotiating the password hashing mechanism between viewer and login service
> > would be an interesting project to work on if anyone is interested in
> > working on it with me. Storing passwords as MD5 is woefully insecure in
> > this day and age. (Is using MD5 for sensitive data even PCI compliant?)
> > 
> > On June 22, 2018 at 6:48:47 AM, Sebastián Castillo Carrión (
> > scastillop at gmail.com) wrote:
> > 
> > Hello everyone !
> > 
> > I'm Sebastian, and I work at the University of Malaga (Spain), and among
> > other things I develop code for opensim.
> > 
> > At the University we use a single user account to give access to all the
> > University services via ldap, so we need to integrate ldap in the
> > authentication process of opensim.
> > 
> > The ldap authentication more or less we know how to do it, but we need to
> > establish a secure https connection between the client and the server for
> > the login process, instead of http, since ldap calls require passing the
> > password without applying md5.
> > 
> > I have seen that there is a multitude of options ssl and https in the
> > configuration of opensim, but I get the impression that they are not
> > designed for the login process, only for "out of band" applications: I have
> > tried these options without success in the login; I think the reason is not
> > an incorrect configuration, because when I load in a web browser https: //
> > ip: 8003 (https_main = true) or https: // ip: 9080 (https_listener = true),
> > the browser asks me to accept the certificate . However, I can not log in
> > from the firestorm client, it is as if the server did not exist, seems the
> > client request get lost.
> > 
> > I have run the server in debug mode from visual studio to see what code is
> > running in those cases. Executing the server in debug mode from Visual
> > Studio, I see that the listener server on port 8003 is created correctly,
> > and pass the certificate, password and ssl mode as parameter, and in case
> > of defining another listening port using the https_listener options = true,
> > http_port = ..., the service is also created correctly; however, the logins
> > from firestorm seem to not reach opensim, since I have defined breakpoints
> > of the code that would be activated when the server receives a call, and
> > doing tests I see that they are only activated when the calls are made from
> > a web browser, but not from the firestorm client.
> > 
> > Another attempt I have made is to modify the code so that the listening
> > service is created on port 8002 with https (in the original code no matter
> > what settings are assigned to https variables in configuration files, seems
> > listener service in port 8002 is always http); as in the previous case, the
> > https request to port 8002 does arrive when it is done from a web browser,
> > but not from the firestorm client.
> > 
> > My impressions are that https is supported only for communications of
> > internal services of the server, and additional listener ports for "out of
> > the bands" applications, but not for the login authentication, where only
> > http is supported.
> > 
> > Do you know if it is necessary to modify the Opensim code to add login
> > support by https?
> > 
> > Do you know if it is necessary to modify the firestorm code to add login
> > support by https?
> > 
> > 
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> 
> 
> _______________________________________________
> Sebastián Castillo Carrión
> Enseñanza Virtual y Laboratorios Tecnológicos
> Técnico Especialista de Aula de Informática
> Facultad de Derecho
> Universidad de Málaga
> Campus de Teatinos
> 29071 Málaga
> aulasderecho at evlt.uma.es
> Tlf.: +34 952132119
> _______________________________________________

More information about the Opensim-dev mailing list