From 82e5f6c24ffef1fdc6ef2a1df8be21e0bf27b715 Mon Sep 17 00:00:00 2001 From: Andrey Kleshchev Date: Wed, 4 Mar 2020 17:39:22 +0200 Subject: SL-12421 Viewer's certificate validation does not reject connections --- indra/llcorehttp/_httpoprequest.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'indra/llcorehttp/_httpoprequest.cpp') diff --git a/indra/llcorehttp/_httpoprequest.cpp b/indra/llcorehttp/_httpoprequest.cpp index 0f76ff23ea..6978b8d08b 100644 --- a/indra/llcorehttp/_httpoprequest.cpp +++ b/indra/llcorehttp/_httpoprequest.cpp @@ -1010,8 +1010,8 @@ CURLcode HttpOpRequest::curlSslCtxCallback(CURL *curl, void *sslctx, void *userd if (op->mCallbackSSLVerify) { SSL_CTX * ctx = (SSL_CTX *)sslctx; - // disable any default verification for server certs - SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); + // verification for ssl certs + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); // set the verification callback. SSL_CTX_set_cert_verify_callback(ctx, sslCertVerifyCallback, userdata); // the calls are void -- cgit v1.2.3 From 81553d1b8cacde537ceff10c8f24806a7f94ad36 Mon Sep 17 00:00:00 2001 From: Andrey Kleshchev Date: Wed, 9 Sep 2020 22:09:39 +0300 Subject: SL-13919 SSL verification should take mVerifyPeer flag into account --- indra/llcorehttp/_httpoprequest.cpp | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'indra/llcorehttp/_httpoprequest.cpp') diff --git a/indra/llcorehttp/_httpoprequest.cpp b/indra/llcorehttp/_httpoprequest.cpp index 6978b8d08b..408adbde2b 100644 --- a/indra/llcorehttp/_httpoprequest.cpp +++ b/indra/llcorehttp/_httpoprequest.cpp @@ -1007,11 +1007,20 @@ CURLcode HttpOpRequest::curlSslCtxCallback(CURL *curl, void *sslctx, void *userd { HttpOpRequest::ptr_t op(HttpOpRequest::fromHandle(userdata)); - if (op->mCallbackSSLVerify) - { - SSL_CTX * ctx = (SSL_CTX *)sslctx; - // verification for ssl certs - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if (op->mCallbackSSLVerify) + { + SSL_CTX * ctx = (SSL_CTX *)sslctx; + if (op->mReqOptions && op->mReqOptions->getSSLVerifyPeer()) + { + // verification for ssl certs + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + } + else + { + // disable any default verification for server certs + // Ex: setting urls (assume non-SL) for parcel media in LLFloaterURLEntry + SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); + } // set the verification callback. SSL_CTX_set_cert_verify_callback(ctx, sslCertVerifyCallback, userdata); // the calls are void -- cgit v1.2.3