[Opensim-dev] Question about https login authentication

Sebastián Castillo Carrión scastillop at gmail.com
Thu Jun 28 16:43:19 UTC 2018 

Ok, thank you.

On Thu, 28 Jun 2018 16:26:32 +0100
"AJLDuarte" <ajlduarte at sapo.pt> wrote:

> Hi
> 	Yes that may work for you now.
> 	But core solution will need to be "a bit" more complex to support
> more flexible configuration and per service.
> 
> Ubit
> 
> 
> 
> -----Original Message-----
> From: Sebastián Castillo Carrión [mailto:scastillop at gmail.com] 
> Sent: Thursday, June 28, 2018 15:53
> To: opensim-dev at opensimulator.org
> Cc: AJLDuarte; Juan Jesus Farfan Leiva
> Subject: Re: [Opensim-dev] Question about https login authentication
> 
> Thank you for your response,
>   
>   Currently, I am interested only in secure connection in the login
> authentication, so https is needed in robust, in my case, and not in
> regions, nor other services.
>   
>   I have to do more tests, but it seems that only minor changes are needed
> in  function "public static IHttpServer GetHttpServer(uint port, IPAddress
> ipaddr)" of file "MainServer.cs" (modifications respect original source are
> inside block "scc"):
>   _________________________________________
>    /// <summary>
>           /// Get the default http server, an http server for a specific
> port
>           /// and/or an http server bound to a specific address
>           /// </summary>
>           /// <remarks>
>           /// If the requested HTTP server doesn't already exist then a new
> one is instantiated and started.
>           /// </remarks>
>           /// <returns></returns>
>           /// <param name='port'>If 0 then the default HTTP server is
> returned.</param>
>           /// <param name='ipaddr'>A specific IP address to bind to.  If
> null then the default IP address is used.</param>
>           public static IHttpServer GetHttpServer(uint port, IPAddress
> ipaddr)
>           {
>               if (port == 0)
>                   return Instance;
>               
>               if (instance != null && port == Instance.Port)
>                   return Instance;
>   
>               lock (m_Servers)
>               {
>                   if (m_Servers.ContainsKey(port))
>                       return m_Servers[port];
>   
>                   ////////////////// scc
>                   //IConfigSource defaultConfig = new IniConfigSource();
>                   //IConfig networkConfig =
> defaultConfig.Configs["Network"];                
>   
>                   bool   ssl_main  = networkConfig.GetString("ssl_main",
> String.Empty);
>                   string cert_path = networkConfig.GetString("cert_path",
> String.Empty);
>                   string cert_pass = networkConfig.GetString("cert_pass",
> String.Empty);                    
>   
>                   if (!ssl_main)
>                       m_Servers[port] = new BaseHttpServer(port);
>                   else
>                   {                   
>                       if (cert_path == String.Empty)
>                       {
>                           System.Console.WriteLine("ERROR: Path to X509
> certificate is missing, server can't start.");
>                           Environment.Exit(1);
>                       }
>   
>                       if (cert_pass == String.Empty)
>                       {
>                           System.Console.WriteLine("ERROR: Password for X509
> certificate is missing, server can't start.");
>                           Environment.Exit(1);
>                       }
>   
>                       m_Servers[port] = new BaseHttpServer(port, ssl_main,
> cert_path, cert_pass);
>                   }
>                   ////////////////// scc
>   
>                   if (ipaddr != null)
>                       m_Servers[port].ListenIPAddress = ipaddr;
>   
>                   m_Servers[port].Start();
>   
>                   return m_Servers[port];
>               }
>           }
>   __________________
>   
>  Regards,
>  Sebastian.
> 
> 
> On Fri, 22 Jun 2018 14:02:37 +0100
> "AJLDuarte" <ajlduarte at sapo.pt> wrote:
> 
> > Hi,
> > 	Opensim git branch httptests does have a somewhat improved https
> support.
> > 	Its possible to run a region with SSL, but at the moment that most
> likely will collide with money modules or lsl secureURL
> > 	A few services will only have unsecure connection also.
> > 	Robust still does not have https support.
> > 	"work in progress" and with very low priority at the moment :(
> > 
> > 	httptests can be retrieved for our git repo.
> > 	git clone git://opensimulator.org/git/Opensim
> > 	cd Opensim
> > 	git checkout httptests
> > 	...
> > 
> > 	You can also see it at
> http://opensimulator.org/viewgit/?a=shortlog&p=opensim&h=refs/heads/httptest
> s
> > 	Note that it requires .net4.6 and on linux latest stable mono.
> > 
> > 	Most new dev work is currently done on this branch, because
> "reasons"
> > 
> > 	Collaboration with viewer dev teams is always welcome, in fact much
> needed.
> > 	Not happening that much, well "reasons"...
> > 
> > Ubit
> > 
> >  
> > 
> > 
> > -----Original Message-----
> > From: opensim-dev-bounces at opensimulator.org
> [mailto:opensim-dev-bounces at opensimulator.org] On Behalf Of Cinder Roxley
> > Sent: Friday, June 22, 2018 13:26
> > To: opensim-dev at opensimulator.org
> > Subject: Re: [Opensim-dev] Question about https login authentication
> > 
> > Have you tried logging in with a client besides Firestorm? Singularity or
> > Alchemy, for example. The hop:// URI scheme Firestorm relies on does not
> > support TLS connections.
> > 
> > As far as sending the password as plaintext, you would need to modify the
> > viewer as it sends the password as an MD5 hash.
> > 
> > Negotiating the password hashing mechanism between viewer and login
> service
> > would be an interesting project to work on if anyone is interested in
> > working on it with me. Storing passwords as MD5 is woefully insecure in
> > this day and age. (Is using MD5 for sensitive data even PCI compliant?)
> > 
> > On June 22, 2018 at 6:48:47 AM, Sebastián Castillo Carrión (
> > scastillop at gmail.com) wrote:
> > 
> > Hello everyone !
> > 
> > I'm Sebastian, and I work at the University of Malaga (Spain), and among
> > other things I develop code for opensim.
> > 
> > At the University we use a single user account to give access to all the
> > University services via ldap, so we need to integrate ldap in the
> > authentication process of opensim.
> > 
> > The ldap authentication more or less we know how to do it, but we need to
> > establish a secure https connection between the client and the server for
> > the login process, instead of http, since ldap calls require passing the
> > password without applying md5.
> > 
> > I have seen that there is a multitude of options ssl and https in the
> > configuration of opensim, but I get the impression that they are not
> > designed for the login process, only for "out of band" applications: I
> have
> > tried these options without success in the login; I think the reason is
> not
> > an incorrect configuration, because when I load in a web browser https: //
> > ip: 8003 (https_main = true) or https: // ip: 9080 (https_listener =
> true),
> > the browser asks me to accept the certificate . However, I can not log in
> > from the firestorm client, it is as if the server did not exist, seems the
> > client request get lost.
> > 
> > I have run the server in debug mode from visual studio to see what code is
> > running in those cases. Executing the server in debug mode from Visual
> > Studio, I see that the listener server on port 8003 is created correctly,
> > and pass the certificate, password and ssl mode as parameter, and in case
> > of defining another listening port using the https_listener options =
> true,
> > http_port = ..., the service is also created correctly; however, the
> logins
> > from firestorm seem to not reach opensim, since I have defined breakpoints
> > of the code that would be activated when the server receives a call, and
> > doing tests I see that they are only activated when the calls are made
> from
> > a web browser, but not from the firestorm client.
> > 
> > Another attempt I have made is to modify the code so that the listening
> > service is created on port 8002 with https (in the original code no matter
> > what settings are assigned to https variables in configuration files,
> seems
> > listener service in port 8002 is always http); as in the previous case,
> the
> > https request to port 8002 does arrive when it is done from a web browser,
> > but not from the firestorm client.
> > 
> > My impressions are that https is supported only for communications of
> > internal services of the server, and additional listener ports for "out of
> > the bands" applications, but not for the login authentication, where only
> > http is supported.
> > 
> > Do you know if it is necessary to modify the Opensim code to add login
> > support by https?
> > 
> > Do you know if it is necessary to modify the firestorm code to add login
> > support by https?
> > 
> > 
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > 
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> 
> 
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev

More information about the Opensim-dev mailing list