diff options
author | Andrey Kleshchev <andreykproductengine@lindenlab.com> | 2020-09-11 16:31:15 +0300 |
---|---|---|
committer | Andrey Kleshchev <andreykproductengine@lindenlab.com> | 2020-09-11 16:32:19 +0300 |
commit | 8c8eac256bdb51fdf9e6e297280b2017d26c3588 (patch) | |
tree | a679d8fb8fc171ab3f4c09500238112acad8f836 /indra | |
parent | 45758daa8a1f388f5881f5025063e13b10ff7721 (diff) |
SL-13927 Turn SSL verification On for all SL services in viewer
Diffstat (limited to 'indra')
-rw-r--r-- | indra/llcorehttp/httpoptions.cpp | 11 | ||||
-rw-r--r-- | indra/llcorehttp/httpoptions.h | 11 | ||||
-rw-r--r-- | indra/llcrashlogger/llcrashlogger.cpp | 1 | ||||
-rw-r--r-- | indra/newview/llappcorehttp.cpp | 24 | ||||
-rw-r--r-- | indra/newview/llappcorehttp.h | 1 | ||||
-rw-r--r-- | indra/newview/llfloaterabout.cpp | 1 | ||||
-rw-r--r-- | indra/newview/llfloatergridstatus.cpp | 1 | ||||
-rw-r--r-- | indra/newview/lltranslate.cpp | 2 |
8 files changed, 50 insertions, 2 deletions
diff --git a/indra/llcorehttp/httpoptions.cpp b/indra/llcorehttp/httpoptions.cpp index df5aa52fa9..c6365e5091 100644 --- a/indra/llcorehttp/httpoptions.cpp +++ b/indra/llcorehttp/httpoptions.cpp @@ -32,6 +32,7 @@ namespace LLCore { + bool HttpOptions::sDefaultVerifyPeer = false; HttpOptions::HttpOptions() : mWantHeaders(false), @@ -43,7 +44,7 @@ HttpOptions::HttpOptions() : mMaxRetryBackoff(HTTP_RETRY_BACKOFF_MAX_DEFAULT), mUseRetryAfter(HTTP_USE_RETRY_AFTER_DEFAULT), mFollowRedirects(true), - mVerifyPeer(false), + mVerifyPeer(sDefaultVerifyPeer), mVerifyHost(false), mDNSCacheTimeout(-1L), mNoBody(false) @@ -122,7 +123,15 @@ void HttpOptions::setHeadersOnly(bool nobody) { mNoBody = nobody; if (mNoBody) + { setWantHeaders(true); + setSSLVerifyPeer(false); + } +} + +void HttpOptions::setDefaultSSLVerifyPeer(bool verify) +{ + sDefaultVerifyPeer = verify; } } // end namespace LLCore diff --git a/indra/llcorehttp/httpoptions.h b/indra/llcorehttp/httpoptions.h index 8a6de61b04..41f71896b0 100644 --- a/indra/llcorehttp/httpoptions.h +++ b/indra/llcorehttp/httpoptions.h @@ -143,7 +143,7 @@ public: /// Instructs the LLCore::HTTPRequest to verify that the exchanged security /// certificate is authentic. - /// Default: false + /// Default: sDefaultVerifyPeer void setSSLVerifyPeer(bool verify); bool getSSLVerifyPeer() const { @@ -177,6 +177,13 @@ public: { return mNoBody; } + + /// Sets default behavior for verifying that the name in the + /// security certificate matches the name of the host contacted. + /// Defaults false if not set, but should be set according to + /// viewer's initialization options and command argunments, see + /// NoVerifySSLCert + static void setDefaultSSLVerifyPeer(bool verify); protected: bool mWantHeaders; @@ -192,6 +199,8 @@ protected: bool mVerifyHost; int mDNSCacheTimeout; bool mNoBody; + + static bool sDefaultVerifyPeer; }; // end class HttpOptions diff --git a/indra/llcrashlogger/llcrashlogger.cpp b/indra/llcrashlogger/llcrashlogger.cpp index 62fcdaf545..e02f3a6306 100644 --- a/indra/llcrashlogger/llcrashlogger.cpp +++ b/indra/llcrashlogger/llcrashlogger.cpp @@ -411,6 +411,7 @@ bool LLCrashLogger::runCrashLogPost(std::string host, LLSD data, std::string msg LLCore::HttpOptions::ptr_t httpOpts(new LLCore::HttpOptions); httpOpts->setTimeout(timeout); + httpOpts->setSSLVerifyPeer(false); for(int i = 0; i < retries; ++i) { diff --git a/indra/newview/llappcorehttp.cpp b/indra/newview/llappcorehttp.cpp index afa4414968..4777662839 100644 --- a/indra/newview/llappcorehttp.cpp +++ b/indra/newview/llappcorehttp.cpp @@ -116,6 +116,7 @@ static const struct }; static void setting_changed(); +static void ssl_verification_changed(); LLAppCoreHttp::HttpClass::HttpClass() @@ -195,6 +196,23 @@ void LLAppCoreHttp::init() LL_WARNS("Init") << "Failed to set SSL Verification. Reason: " << status.toString() << LL_ENDL; } + // Set up Default SSL Verification option. + const std::string no_verify_ssl("NoVerifySSLCert"); + if (gSavedSettings.controlExists(no_verify_ssl)) + { + LLPointer<LLControlVariable> cntrl_ptr = gSavedSettings.getControl(no_verify_ssl); + if (cntrl_ptr.isNull()) + { + LL_WARNS("Init") << "Unable to set signal on global setting '" << no_verify_ssl + << "'" << LL_ENDL; + } + else + { + mSSLNoVerifySignal = cntrl_ptr->getCommitSignal()->connect(boost::bind(&ssl_verification_changed)); + LLCore::HttpOptions::setDefaultSSLVerifyPeer(!cntrl_ptr->getValue().asBoolean()); + } + } + // Tracing levels for library & libcurl (note that 2 & 3 are beyond spammy): // 0 - None // 1 - Basic start, stop simple transitions @@ -296,6 +314,11 @@ void setting_changed() LLAppViewer::instance()->getAppCoreHttp().refreshSettings(false); } +void ssl_verification_changed() +{ + LLCore::HttpOptions::setDefaultSSLVerifyPeer(!gSavedSettings.getBOOL("NoVerifySSLCert")); +} + namespace { // The NoOpDeletor is used when wrapping LLAppCoreHttp in a smart pointer below for @@ -355,6 +378,7 @@ void LLAppCoreHttp::cleanup() { mHttpClasses[i].mSettingsSignal.disconnect(); } + mSSLNoVerifySignal.disconnect(); mPipelinedSignal.disconnect(); delete mRequest; diff --git a/indra/newview/llappcorehttp.h b/indra/newview/llappcorehttp.h index 95c138d598..751c498ab0 100644 --- a/indra/newview/llappcorehttp.h +++ b/indra/newview/llappcorehttp.h @@ -256,6 +256,7 @@ private: HttpClass mHttpClasses[AP_COUNT]; bool mPipelined; // Global setting boost::signals2::connection mPipelinedSignal; // Signal for 'HttpPipelining' setting + boost::signals2::connection mSSLNoVerifySignal; // Signal for 'NoVerifySSLCert' setting static LLCore::HttpStatus sslVerify(const std::string &uri, const LLCore::HttpHandler::ptr_t &handler, void *appdata); }; diff --git a/indra/newview/llfloaterabout.cpp b/indra/newview/llfloaterabout.cpp index 171858e472..1fbd198019 100644 --- a/indra/newview/llfloaterabout.cpp +++ b/indra/newview/llfloaterabout.cpp @@ -236,6 +236,7 @@ void LLFloaterAbout::fetchServerReleaseNotesCoro(const std::string& cap_url) httpOpts->setWantHeaders(true); httpOpts->setFollowRedirects(false); + httpOpts->setSSLVerifyPeer(false); // We want this data even if SSL verification fails LLSD result = httpAdapter->getAndSuspend(httpRequest, cap_url, httpOpts); diff --git a/indra/newview/llfloatergridstatus.cpp b/indra/newview/llfloatergridstatus.cpp index faa7e9f3db..9745e17bbb 100644 --- a/indra/newview/llfloatergridstatus.cpp +++ b/indra/newview/llfloatergridstatus.cpp @@ -95,6 +95,7 @@ void LLFloaterGridStatus::getGridStatusRSSCoro() LLCore::HttpOptions::ptr_t httpOpts(new LLCore::HttpOptions); LLCore::HttpHeaders::ptr_t httpHeaders(new LLCore::HttpHeaders); + httpOpts->setSSLVerifyPeer(false); // We want this data even if SSL fails httpHeaders->append(HTTP_OUT_HEADER_CONTENT_TYPE, HTTP_CONTENT_TEXT_XML); std::string url = gSavedSettings.getString("GridStatusRSS"); diff --git a/indra/newview/lltranslate.cpp b/indra/newview/lltranslate.cpp index fa3b44f702..553a3cd086 100644 --- a/indra/newview/lltranslate.cpp +++ b/indra/newview/lltranslate.cpp @@ -144,6 +144,7 @@ void LLTranslationAPIHandler::verifyKeyCoro(LLTranslate::EService service, std:: httpHeaders->append(HTTP_OUT_HEADER_USER_AGENT, user_agent); httpOpts->setFollowRedirects(true); + httpOpts->setSSLVerifyPeer(false); std::string url = this->getKeyVerificationURL(key); if (url.empty()) @@ -185,6 +186,7 @@ void LLTranslationAPIHandler::translateMessageCoro(LanguagePair_t fromTo, std::s httpHeaders->append(HTTP_OUT_HEADER_ACCEPT, HTTP_CONTENT_TEXT_PLAIN); httpHeaders->append(HTTP_OUT_HEADER_USER_AGENT, user_agent); + httpOpts->setSSLVerifyPeer(false); std::string url = this->getTranslateURL(fromTo.first, fromTo.second, msg); if (url.empty()) |