SL-13927 Turn SSL verification On for all SL services in viewer

author: Andrey Kleshchev <andreykproductengine@lindenlab.com> 2020-09-11 16:31:15 +0300
committer: Andrey Kleshchev <andreykproductengine@lindenlab.com> 2020-09-11 16:32:19 +0300
commit: 8c8eac256bdb51fdf9e6e297280b2017d26c3588 (patch)
tree: a679d8fb8fc171ab3f4c09500238112acad8f836
parent: 45758daa8a1f388f5881f5025063e13b10ff7721 (diff)
8 files changed, 50 insertions, 2 deletions
diff --git a/indra/llcorehttp/httpoptions.cpp b/indra/llcorehttp/httpoptions.cpp
index df5aa52fa9..c6365e5091 100644
--- a/indra/llcorehttp/httpoptions.cpp
+++ b/indra/llcorehttp/httpoptions.cpp
@@ -32,6 +32,7 @@
 namespace LLCore
 {
 
+    bool HttpOptions::sDefaultVerifyPeer = false;
 
 HttpOptions::HttpOptions() :
     mWantHeaders(false),
@@ -43,7 +44,7 @@ HttpOptions::HttpOptions() :
     mMaxRetryBackoff(HTTP_RETRY_BACKOFF_MAX_DEFAULT),
     mUseRetryAfter(HTTP_USE_RETRY_AFTER_DEFAULT),
     mFollowRedirects(true),
-    mVerifyPeer(false),
+    mVerifyPeer(sDefaultVerifyPeer),
     mVerifyHost(false),
     mDNSCacheTimeout(-1L),
     mNoBody(false)
@@ -122,7 +123,15 @@ void HttpOptions::setHeadersOnly(bool nobody)
 {
     mNoBody = nobody;
     if (mNoBody)
+    {
         setWantHeaders(true);
+        setSSLVerifyPeer(false);
+    }
+}
+
+void HttpOptions::setDefaultSSLVerifyPeer(bool verify)
+{
+    sDefaultVerifyPeer = verify;
 }
 
 }   // end namespace LLCore
diff --git a/indra/llcorehttp/httpoptions.h b/indra/llcorehttp/httpoptions.h
index 8a6de61b04..41f71896b0 100644
--- a/indra/llcorehttp/httpoptions.h
+++ b/indra/llcorehttp/httpoptions.h
@@ -143,7 +143,7 @@ public:
 
     /// Instructs the LLCore::HTTPRequest to verify that the exchanged security
     /// certificate is authentic. 
-    /// Default: false
+    /// Default: sDefaultVerifyPeer
     void				setSSLVerifyPeer(bool verify);
 	bool				getSSLVerifyPeer() const
 	{
@@ -177,6 +177,13 @@ public:
     {
         return mNoBody;
     }
+
+    /// Sets default behavior for verifying that the name in the 
+    /// security certificate matches the name of the host contacted.
+    /// Defaults false if not set, but should be set according to
+    /// viewer's initialization options and command argunments, see
+    /// NoVerifySSLCert
+    static void         setDefaultSSLVerifyPeer(bool verify);
 	
 protected:
 	bool				mWantHeaders;
@@ -192,6 +199,8 @@ protected:
 	bool        		mVerifyHost;
 	int					mDNSCacheTimeout;
     bool                mNoBody;
+
+    static bool         sDefaultVerifyPeer;
 }; // end class HttpOptions
 
 
diff --git a/indra/llcrashlogger/llcrashlogger.cpp b/indra/llcrashlogger/llcrashlogger.cpp
index 62fcdaf545..e02f3a6306 100644
--- a/indra/llcrashlogger/llcrashlogger.cpp
+++ b/indra/llcrashlogger/llcrashlogger.cpp
@@ -411,6 +411,7 @@ bool LLCrashLogger::runCrashLogPost(std::string host, LLSD data, std::string msg
     LLCore::HttpOptions::ptr_t httpOpts(new LLCore::HttpOptions);
 
     httpOpts->setTimeout(timeout);
+    httpOpts->setSSLVerifyPeer(false);
 
 	for(int i = 0; i < retries; ++i)
 	{
diff --git a/indra/newview/llappcorehttp.cpp b/indra/newview/llappcorehttp.cpp
index afa4414968..4777662839 100644
--- a/indra/newview/llappcorehttp.cpp
+++ b/indra/newview/llappcorehttp.cpp
@@ -116,6 +116,7 @@ static const struct
 };
 
 static void setting_changed();
+static void ssl_verification_changed();
 
 
 LLAppCoreHttp::HttpClass::HttpClass()
@@ -195,6 +196,23 @@ void LLAppCoreHttp::init()
 		LL_WARNS("Init") << "Failed to set SSL Verification.  Reason:  " << status.toString() << LL_ENDL;
 	}
 
+    // Set up Default SSL Verification option.
+    const std::string no_verify_ssl("NoVerifySSLCert");
+    if (gSavedSettings.controlExists(no_verify_ssl))
+    {
+        LLPointer<LLControlVariable> cntrl_ptr = gSavedSettings.getControl(no_verify_ssl);
+        if (cntrl_ptr.isNull())
+        {
+            LL_WARNS("Init") << "Unable to set signal on global setting '" << no_verify_ssl
+                << "'" << LL_ENDL;
+        }
+        else
+        {
+            mSSLNoVerifySignal = cntrl_ptr->getCommitSignal()->connect(boost::bind(&ssl_verification_changed));
+            LLCore::HttpOptions::setDefaultSSLVerifyPeer(!cntrl_ptr->getValue().asBoolean());
+        }
+    }
+
 	// Tracing levels for library & libcurl (note that 2 & 3 are beyond spammy):
 	// 0 - None
 	// 1 - Basic start, stop simple transitions
@@ -296,6 +314,11 @@ void setting_changed()
 	LLAppViewer::instance()->getAppCoreHttp().refreshSettings(false);
 }
 
+void ssl_verification_changed()
+{
+    LLCore::HttpOptions::setDefaultSSLVerifyPeer(!gSavedSettings.getBOOL("NoVerifySSLCert"));
+}
+
 namespace
 {
     // The NoOpDeletor is used when wrapping LLAppCoreHttp in a smart pointer below for
@@ -355,6 +378,7 @@ void LLAppCoreHttp::cleanup()
 	{
 		mHttpClasses[i].mSettingsSignal.disconnect();
 	}
+    mSSLNoVerifySignal.disconnect();
 	mPipelinedSignal.disconnect();
 	
 	delete mRequest;
diff --git a/indra/newview/llappcorehttp.h b/indra/newview/llappcorehttp.h
index 95c138d598..751c498ab0 100644
--- a/indra/newview/llappcorehttp.h
+++ b/indra/newview/llappcorehttp.h
@@ -256,6 +256,7 @@ private:
 	HttpClass					mHttpClasses[AP_COUNT];
 	bool						mPipelined;				// Global setting
 	boost::signals2::connection	mPipelinedSignal;		// Signal for 'HttpPipelining' setting
+	boost::signals2::connection	mSSLNoVerifySignal;		// Signal for 'NoVerifySSLCert' setting
 
 	static LLCore::HttpStatus	sslVerify(const std::string &uri, const LLCore::HttpHandler::ptr_t &handler, void *appdata);
 };
diff --git a/indra/newview/llfloaterabout.cpp b/indra/newview/llfloaterabout.cpp
index 171858e472..1fbd198019 100644
--- a/indra/newview/llfloaterabout.cpp
+++ b/indra/newview/llfloaterabout.cpp
@@ -236,6 +236,7 @@ void LLFloaterAbout::fetchServerReleaseNotesCoro(const std::string& cap_url)
 
     httpOpts->setWantHeaders(true);
     httpOpts->setFollowRedirects(false);
+    httpOpts->setSSLVerifyPeer(false); // We want this data even if SSL verification fails
 
     LLSD result = httpAdapter->getAndSuspend(httpRequest, cap_url, httpOpts);
 
diff --git a/indra/newview/llfloatergridstatus.cpp b/indra/newview/llfloatergridstatus.cpp
index faa7e9f3db..9745e17bbb 100644
--- a/indra/newview/llfloatergridstatus.cpp
+++ b/indra/newview/llfloatergridstatus.cpp
@@ -95,6 +95,7 @@ void LLFloaterGridStatus::getGridStatusRSSCoro()
     LLCore::HttpOptions::ptr_t httpOpts(new LLCore::HttpOptions);
     LLCore::HttpHeaders::ptr_t httpHeaders(new LLCore::HttpHeaders);
 
+    httpOpts->setSSLVerifyPeer(false); // We want this data even if SSL fails
     httpHeaders->append(HTTP_OUT_HEADER_CONTENT_TYPE, HTTP_CONTENT_TEXT_XML);
     std::string url = gSavedSettings.getString("GridStatusRSS");
 
diff --git a/indra/newview/lltranslate.cpp b/indra/newview/lltranslate.cpp
index fa3b44f702..553a3cd086 100644
--- a/indra/newview/lltranslate.cpp
+++ b/indra/newview/lltranslate.cpp
@@ -144,6 +144,7 @@ void LLTranslationAPIHandler::verifyKeyCoro(LLTranslate::EService service, std::
     httpHeaders->append(HTTP_OUT_HEADER_USER_AGENT, user_agent);
 
     httpOpts->setFollowRedirects(true);
+    httpOpts->setSSLVerifyPeer(false);
 
     std::string url = this->getKeyVerificationURL(key);
     if (url.empty())
@@ -185,6 +186,7 @@ void LLTranslationAPIHandler::translateMessageCoro(LanguagePair_t fromTo, std::s
 
     httpHeaders->append(HTTP_OUT_HEADER_ACCEPT, HTTP_CONTENT_TEXT_PLAIN);
     httpHeaders->append(HTTP_OUT_HEADER_USER_AGENT, user_agent);
+    httpOpts->setSSLVerifyPeer(false);
 
     std::string url = this->getTranslateURL(fromTo.first, fromTo.second, msg);
     if (url.empty())
author	Andrey Kleshchev <andreykproductengine@lindenlab.com>	2020-09-11 16:31:15 +0300
committer	Andrey Kleshchev <andreykproductengine@lindenlab.com>	2020-09-11 16:32:19 +0300
commit	8c8eac256bdb51fdf9e6e297280b2017d26c3588 (patch)
tree	a679d8fb8fc171ab3f4c09500238112acad8f836
parent	45758daa8a1f388f5881f5025063e13b10ff7721 (diff)