From b856745048212175eac19536e40cf563b874f6b4 Mon Sep 17 00:00:00 2001 From: Andrey Kleshchev Date: Fri, 21 Aug 2020 20:14:26 +0300 Subject: SL-13835 SSL verification should not crash on invalid certificate --- indra/newview/llappcorehttp.cpp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'indra/newview/llappcorehttp.cpp') diff --git a/indra/newview/llappcorehttp.cpp b/indra/newview/llappcorehttp.cpp index afa4414968..134a34137b 100644 --- a/indra/newview/llappcorehttp.cpp +++ b/indra/newview/llappcorehttp.cpp @@ -522,20 +522,20 @@ void LLAppCoreHttp::refreshSettings(bool initial) LLCore::HttpStatus LLAppCoreHttp::sslVerify(const std::string &url, const LLCore::HttpHandler::ptr_t &handler, void *appdata) { - X509_STORE_CTX *ctx = static_cast(appdata); - LLCore::HttpStatus result; - LLPointer store = gSecAPIHandler->getCertificateStore(""); - LLPointer chain = gSecAPIHandler->getCertificateChain(ctx); - LLSD validation_params = LLSD::emptyMap(); - LLURI uri(url); + LLCore::HttpStatus result; + try + { + X509_STORE_CTX *ctx = static_cast(appdata); + LLPointer store = gSecAPIHandler->getCertificateStore(""); + LLPointer chain = gSecAPIHandler->getCertificateChain(ctx); + LLSD validation_params = LLSD::emptyMap(); + LLURI uri(url); - validation_params[CERT_HOSTNAME] = uri.hostName(); + validation_params[CERT_HOSTNAME] = uri.hostName(); - // *TODO: In the case of an exception while validating the cert, we need a way - // to pass the offending(?) cert back out. *Rider* + // *TODO: In the case of an exception while validating the cert, we need a way + // to pass the offending(?) cert back out. *Rider* - try - { // don't validate hostname. Let libcurl do it instead. That way, it'll handle redirects store->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), chain, validation_params); } -- cgit v1.2.3 From 8594be3b9a6518ae25b99f920358a61ed4bae1a1 Mon Sep 17 00:00:00 2001 From: Andrey Kleshchev Date: Fri, 11 Sep 2020 16:31:15 +0300 Subject: SL-13927 Turn SSL verification On for all SL services in viewer --- indra/newview/llappcorehttp.cpp | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'indra/newview/llappcorehttp.cpp') diff --git a/indra/newview/llappcorehttp.cpp b/indra/newview/llappcorehttp.cpp index 134a34137b..3da87e657c 100644 --- a/indra/newview/llappcorehttp.cpp +++ b/indra/newview/llappcorehttp.cpp @@ -116,6 +116,7 @@ static const struct }; static void setting_changed(); +static void ssl_verification_changed(); LLAppCoreHttp::HttpClass::HttpClass() @@ -195,6 +196,23 @@ void LLAppCoreHttp::init() LL_WARNS("Init") << "Failed to set SSL Verification. Reason: " << status.toString() << LL_ENDL; } + // Set up Default SSL Verification option. + const std::string no_verify_ssl("NoVerifySSLCert"); + if (gSavedSettings.controlExists(no_verify_ssl)) + { + LLPointer cntrl_ptr = gSavedSettings.getControl(no_verify_ssl); + if (cntrl_ptr.isNull()) + { + LL_WARNS("Init") << "Unable to set signal on global setting '" << no_verify_ssl + << "'" << LL_ENDL; + } + else + { + mSSLNoVerifySignal = cntrl_ptr->getCommitSignal()->connect(boost::bind(&ssl_verification_changed)); + LLCore::HttpOptions::setDefaultSSLVerifyPeer(!cntrl_ptr->getValue().asBoolean()); + } + } + // Tracing levels for library & libcurl (note that 2 & 3 are beyond spammy): // 0 - None // 1 - Basic start, stop simple transitions @@ -296,6 +314,11 @@ void setting_changed() LLAppViewer::instance()->getAppCoreHttp().refreshSettings(false); } +void ssl_verification_changed() +{ + LLCore::HttpOptions::setDefaultSSLVerifyPeer(!gSavedSettings.getBOOL("NoVerifySSLCert")); +} + namespace { // The NoOpDeletor is used when wrapping LLAppCoreHttp in a smart pointer below for @@ -355,6 +378,7 @@ void LLAppCoreHttp::cleanup() { mHttpClasses[i].mSettingsSignal.disconnect(); } + mSSLNoVerifySignal.disconnect(); mPipelinedSignal.disconnect(); delete mRequest; -- cgit v1.2.3 From 6936736d1766a8a683b7058dbfdaee3c07e30cf7 Mon Sep 17 00:00:00 2001 From: Andrey Kleshchev Date: Fri, 11 Sep 2020 20:59:43 +0300 Subject: Revert SL-13927 commit 8c8eac256bdb51fdf9e6e297280b2017d26c3588. Got into D503 by accident --- indra/newview/llappcorehttp.cpp | 24 ------------------------ 1 file changed, 24 deletions(-) (limited to 'indra/newview/llappcorehttp.cpp') diff --git a/indra/newview/llappcorehttp.cpp b/indra/newview/llappcorehttp.cpp index 3da87e657c..134a34137b 100644 --- a/indra/newview/llappcorehttp.cpp +++ b/indra/newview/llappcorehttp.cpp @@ -116,7 +116,6 @@ static const struct }; static void setting_changed(); -static void ssl_verification_changed(); LLAppCoreHttp::HttpClass::HttpClass() @@ -196,23 +195,6 @@ void LLAppCoreHttp::init() LL_WARNS("Init") << "Failed to set SSL Verification. Reason: " << status.toString() << LL_ENDL; } - // Set up Default SSL Verification option. - const std::string no_verify_ssl("NoVerifySSLCert"); - if (gSavedSettings.controlExists(no_verify_ssl)) - { - LLPointer cntrl_ptr = gSavedSettings.getControl(no_verify_ssl); - if (cntrl_ptr.isNull()) - { - LL_WARNS("Init") << "Unable to set signal on global setting '" << no_verify_ssl - << "'" << LL_ENDL; - } - else - { - mSSLNoVerifySignal = cntrl_ptr->getCommitSignal()->connect(boost::bind(&ssl_verification_changed)); - LLCore::HttpOptions::setDefaultSSLVerifyPeer(!cntrl_ptr->getValue().asBoolean()); - } - } - // Tracing levels for library & libcurl (note that 2 & 3 are beyond spammy): // 0 - None // 1 - Basic start, stop simple transitions @@ -314,11 +296,6 @@ void setting_changed() LLAppViewer::instance()->getAppCoreHttp().refreshSettings(false); } -void ssl_verification_changed() -{ - LLCore::HttpOptions::setDefaultSSLVerifyPeer(!gSavedSettings.getBOOL("NoVerifySSLCert")); -} - namespace { // The NoOpDeletor is used when wrapping LLAppCoreHttp in a smart pointer below for @@ -378,7 +355,6 @@ void LLAppCoreHttp::cleanup() { mHttpClasses[i].mSettingsSignal.disconnect(); } - mSSLNoVerifySignal.disconnect(); mPipelinedSignal.disconnect(); delete mRequest; -- cgit v1.2.3