[Opensim-dev] Question about https login authentication
Sebastián Castillo Carrión
scastillop at gmail.com
Thu Jun 28 14:52:44 UTC 2018
Thank you for your response,
Currently, I am interested only in secure connection in the login authentication, so https is needed in robust, in my case, and not in regions, nor other services.
I have to do more tests, but it seems that only minor changes are needed in function "public static IHttpServer GetHttpServer(uint port, IPAddress ipaddr)" of file "MainServer.cs" (modifications respect original source are inside block "scc"):
_________________________________________
/// <summary>
/// Get the default http server, an http server for a specific port
/// and/or an http server bound to a specific address
/// </summary>
/// <remarks>
/// If the requested HTTP server doesn't already exist then a new one is instantiated and started.
/// </remarks>
/// <returns></returns>
/// <param name='port'>If 0 then the default HTTP server is returned.</param>
/// <param name='ipaddr'>A specific IP address to bind to. If null then the default IP address is used.</param>
public static IHttpServer GetHttpServer(uint port, IPAddress ipaddr)
{
if (port == 0)
return Instance;
if (instance != null && port == Instance.Port)
return Instance;
lock (m_Servers)
{
if (m_Servers.ContainsKey(port))
return m_Servers[port];
////////////////// scc
//IConfigSource defaultConfig = new IniConfigSource();
//IConfig networkConfig = defaultConfig.Configs["Network"];
bool ssl_main = networkConfig.GetString("ssl_main", String.Empty);
string cert_path = networkConfig.GetString("cert_path", String.Empty);
string cert_pass = networkConfig.GetString("cert_pass", String.Empty);
if (!ssl_main)
m_Servers[port] = new BaseHttpServer(port);
else
{
if (cert_path == String.Empty)
{
System.Console.WriteLine("ERROR: Path to X509 certificate is missing, server can't start.");
Environment.Exit(1);
}
if (cert_pass == String.Empty)
{
System.Console.WriteLine("ERROR: Password for X509 certificate is missing, server can't start.");
Environment.Exit(1);
}
m_Servers[port] = new BaseHttpServer(port, ssl_main, cert_path, cert_pass);
}
////////////////// scc
if (ipaddr != null)
m_Servers[port].ListenIPAddress = ipaddr;
m_Servers[port].Start();
return m_Servers[port];
}
}
__________________
Regards,
Sebastian.
On Fri, 22 Jun 2018 14:02:37 +0100
"AJLDuarte" <ajlduarte at sapo.pt> wrote:
> Hi,
> Opensim git branch httptests does have a somewhat improved https support.
> Its possible to run a region with SSL, but at the moment that most likely will collide with money modules or lsl secureURL
> A few services will only have unsecure connection also.
> Robust still does not have https support.
> "work in progress" and with very low priority at the moment :(
>
> httptests can be retrieved for our git repo.
> git clone git://opensimulator.org/git/Opensim
> cd Opensim
> git checkout httptests
> ...
>
> You can also see it at http://opensimulator.org/viewgit/?a=shortlog&p=opensim&h=refs/heads/httptests
> Note that it requires .net4.6 and on linux latest stable mono.
>
> Most new dev work is currently done on this branch, because "reasons"
>
> Collaboration with viewer dev teams is always welcome, in fact much needed.
> Not happening that much, well "reasons"...
>
> Ubit
>
>
>
>
> -----Original Message-----
> From: opensim-dev-bounces at opensimulator.org [mailto:opensim-dev-bounces at opensimulator.org] On Behalf Of Cinder Roxley
> Sent: Friday, June 22, 2018 13:26
> To: opensim-dev at opensimulator.org
> Subject: Re: [Opensim-dev] Question about https login authentication
>
> Have you tried logging in with a client besides Firestorm? Singularity or
> Alchemy, for example. The hop:// URI scheme Firestorm relies on does not
> support TLS connections.
>
> As far as sending the password as plaintext, you would need to modify the
> viewer as it sends the password as an MD5 hash.
>
> Negotiating the password hashing mechanism between viewer and login service
> would be an interesting project to work on if anyone is interested in
> working on it with me. Storing passwords as MD5 is woefully insecure in
> this day and age. (Is using MD5 for sensitive data even PCI compliant?)
>
> On June 22, 2018 at 6:48:47 AM, Sebastián Castillo Carrión (
> scastillop at gmail.com) wrote:
>
> Hello everyone !
>
> I'm Sebastian, and I work at the University of Malaga (Spain), and among
> other things I develop code for opensim.
>
> At the University we use a single user account to give access to all the
> University services via ldap, so we need to integrate ldap in the
> authentication process of opensim.
>
> The ldap authentication more or less we know how to do it, but we need to
> establish a secure https connection between the client and the server for
> the login process, instead of http, since ldap calls require passing the
> password without applying md5.
>
> I have seen that there is a multitude of options ssl and https in the
> configuration of opensim, but I get the impression that they are not
> designed for the login process, only for "out of band" applications: I have
> tried these options without success in the login; I think the reason is not
> an incorrect configuration, because when I load in a web browser https: //
> ip: 8003 (https_main = true) or https: // ip: 9080 (https_listener = true),
> the browser asks me to accept the certificate . However, I can not log in
> from the firestorm client, it is as if the server did not exist, seems the
> client request get lost.
>
> I have run the server in debug mode from visual studio to see what code is
> running in those cases. Executing the server in debug mode from Visual
> Studio, I see that the listener server on port 8003 is created correctly,
> and pass the certificate, password and ssl mode as parameter, and in case
> of defining another listening port using the https_listener options = true,
> http_port = ..., the service is also created correctly; however, the logins
> from firestorm seem to not reach opensim, since I have defined breakpoints
> of the code that would be activated when the server receives a call, and
> doing tests I see that they are only activated when the calls are made from
> a web browser, but not from the firestorm client.
>
> Another attempt I have made is to modify the code so that the listening
> service is created on port 8002 with https (in the original code no matter
> what settings are assigned to https variables in configuration files, seems
> listener service in port 8002 is always http); as in the previous case, the
> https request to port 8002 does arrive when it is done from a web browser,
> but not from the firestorm client.
>
> My impressions are that https is supported only for communications of
> internal services of the server, and additional listener ports for "out of
> the bands" applications, but not for the login authentication, where only
> http is supported.
>
> Do you know if it is necessary to modify the Opensim code to add login
> support by https?
>
> Do you know if it is necessary to modify the firestorm code to add login
> support by https?
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list