Open Grid Public Beta/HTTPS Support

From Second Life Wiki
Jump to navigation Jump to search

Over the weekend(and a portion of last week) I implemented SSL support in the region http server in OpenSimulator in response to some of the things we've been discussing. Most notably, the CAPS for OGP are meant to be sent/invoked over SSL.

I've also included a junk CA, a PEM file that corresponds with that junk CA, and directions in the /share/junkCA SVN folder.

Enabling SSL still isn't 'easy', but it's far easier then it was previously.

One thing to note, however is, since we don't know which certificate authorities the client trusts and therefore can't get a certificate signing request signed by one, you must append the CA2.pem file to the client's list of approved certification authorities to be able to test a region with SSL using the junk CA certificate authority. That file is located in the /app_settings/ folder and is called CA.pem.

Please *APPEND* the CA2.pem file to /app_settings/CA.pem (add it to the end) to test https OGP regions. If you do not, then the client will quietly refuse to connect to your SSL regions. Seed caps requests will fail and you'll see the following message on the debug console: routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

Do not erase what is already in there! It contains a list of Linden approved Certification authorities!(We don't know what ones are there.. but if you remove them you won't be able to connect with the Linden grid).

This is only a temporary measure to test SSL. Infinity is working on a complete solution.

This will allow the client to verify the certificate. However, be aware that this is a junk CA, this CA should not be trusted for anything but testing. The private key for it is freely available so it can be spoofed easily. After the complete solution above is done, please be sure to remove the CA2.pem cert from your /app_settings/CA.pem since it isn't trusted. (it'll be the last -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- section)

Remember to read the [Network] section of the opensim.ini.example for information on how to set up the following values:

http_listener_ssl = false ; Also create a SSL server
http_listener_cn = "localhost" ; Use the cert with the common name
http_listener_sslport = 9001 ; Use this port for SSL connections
http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer

As well as the directions in svn/share/junkCA/Certificate commands OpenSSL.txt. The directions in that file direct you on how to use OpenSSL to generate a certificate signing request, sign it with the junkCA, and install it for OpenSImulator to use.

Happy testing. You may direct specific setup questions to myself or the OpenSim-dev e-mail list: https://lists.berlios.de/mailman/listinfo/opensim-dev or the #opensim IRC channel on irc.freenode.net.

Best Regards

Teravus Ousley