You can also change that with the respective viewer debug setting without edit the xml. You also need that to test regions https with similar cert.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sebastián Castillo Carrión Sent: Thursday, June 28, 2018 15:54 To: [email protected] Cc: Cinder Roxley; Juan Jesus Farfan Leiva Subject: Re: [Opensim-dev] Question about https login authentication Thank you, I have tested Singularity and Alchemy, and both of them works. Because I am using a self-signed certificate made by me for testing purposes, I have made changes in the file settings.xml to avoid verify SSL certificates, on the contrary, login would fail raising the error "peer certificate cannot be authenticated with given ca certificates": C:\Program Files\[Singularity or Alchemy]\app_settings\settings.xml ______________________________ ... <key>NoVerifySSLCert</key> <map> <key>Comment</key> <string>Do not verify SSL certificates. WARNING: Setting this to TRUE allows anyone to impersonate the server and intercept your data (man in the middle attack).</string> <key>Persist</key> <integer>1</integer> <key>Type</key> <string>Boolean</string> <key>Value</key> <integer>1</integer> <=== Changed from value 0 to value 1 </map> ... ______________________________ After making this modification, it seems that login authentication is sucessful. On Fri, 22 Jun 2018 08:26:29 -0400 Cinder Roxley <[email protected]> wrote: > Have you tried logging in with a client besides Firestorm? Singularity or > Alchemy, for example. The hop:// URI scheme Firestorm relies on does not > support TLS connections. > > As far as sending the password as plaintext, you would need to modify the > viewer as it sends the password as an MD5 hash. > > Negotiating the password hashing mechanism between viewer and login service > would be an interesting project to work on if anyone is interested in > working on it with me. Storing passwords as MD5 is woefully insecure in > this day and age. (Is using MD5 for sensitive data even PCI compliant?) > > On June 22, 2018 at 6:48:47 AM, Sebastián Castillo Carrión ( > [email protected]) wrote: > > Hello everyone ! > > I'm Sebastian, and I work at the University of Malaga (Spain), and among > other things I develop code for opensim. > > At the University we use a single user account to give access to all the > University services via ldap, so we need to integrate ldap in the > authentication process of opensim. > > The ldap authentication more or less we know how to do it, but we need to > establish a secure https connection between the client and the server for > the login process, instead of http, since ldap calls require passing the > password without applying md5. > > I have seen that there is a multitude of options ssl and https in the > configuration of opensim, but I get the impression that they are not > designed for the login process, only for "out of band" applications: I have > tried these options without success in the login; I think the reason is not > an incorrect configuration, because when I load in a web browser https: // > ip: 8003 (https_main = true) or https: // ip: 9080 (https_listener = true), > the browser asks me to accept the certificate . However, I can not log in > from the firestorm client, it is as if the server did not exist, seems the > client request get lost. > > I have run the server in debug mode from visual studio to see what code is > running in those cases. Executing the server in debug mode from Visual > Studio, I see that the listener server on port 8003 is created correctly, > and pass the certificate, password and ssl mode as parameter, and in case > of defining another listening port using the https_listener options = true, > http_port = ..., the service is also created correctly; however, the logins > from firestorm seem to not reach opensim, since I have defined breakpoints > of the code that would be activated when the server receives a call, and > doing tests I see that they are only activated when the calls are made from > a web browser, but not from the firestorm client. > > Another attempt I have made is to modify the code so that the listening > service is created on port 8002 with https (in the original code no matter > what settings are assigned to https variables in configuration files, seems > listener service in port 8002 is always http); as in the previous case, the > https request to port 8002 does arrive when it is done from a web browser, > but not from the firestorm client. > > My impressions are that https is supported only for communications of > internal services of the server, and additional listener ports for "out of > the bands" applications, but not for the login authentication, where only > http is supported. > > Do you know if it is necessary to modify the Opensim code to add login > support by https? > > Do you know if it is necessary to modify the firestorm code to add login > support by https? > > > _______________________________________________ > Opensim-dev mailing list > [email protected] > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > _______________________________________________ > Opensim-dev mailing list > [email protected] > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list [email protected] http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list [email protected] http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
