DEV-35248: Allow NoVerifySSLCert to uniformly disable verification
Introduce static LLCurl SSL verification flag, default 'true', accessed by
LLCurl::setSSLVerify() and getSSLVerify().
Make LLCurl::Easy::prepRequest() check LLCurl::getSSLVerify() instead of
unconditionally setting CURLOPT_SSL_VERIFYPEER 'true'. Also set
CURLOPT_SSL_VERIFYHOST to match.
Make LLXMLRPCTransaction::Impl::init() examine LLCurl::getSSLVerify(), instead
of directly examining gSavedSettings.getBOOL("NoVerifySSLCert").
Make LLURLRequest::checkRootCertificate() set CURLOPT_SSL_VERIFYHOST as well
as CURLOPT_SSL_VERIFYPEER.
Make request() in llhttpclient.cpp (used by LLHTTPClient::getByteRange(),
head(), get(), getHeaderOnly(), put(), post(), postRaw(), postFile(), del(),
move()) pass LLCurl::getSSLVerify() to checkRootCertificate(), rather than
constant 'true'.
Make LLAppViewer::mainLoop() call
LLCurl::setSSLVerify(! gSavedSettings.getBOOL("NoVerifySSLCert"))
at the same time it calls LLCurl::setCAFile(), a comparable bit of static
setup.
master
Nat Goodspeed
parent
ea875ca0eb
commit
df7e5dd1dc
|
|
@ -89,6 +89,10 @@ S32 gCurlMultiCount = 0;
|
|||
std::vector<LLMutex*> LLCurl::sSSLMutex;
|
||||
std::string LLCurl::sCAPath;
|
||||
std::string LLCurl::sCAFile;
|
||||
// Verify SSL certificates by default (matches libcurl default). The ability
|
||||
// to alter this flag is only to allow us to suppress verification if it's
|
||||
// broken for some reason.
|
||||
bool LLCurl::sSSLVerify = true;
|
||||
|
||||
//static
|
||||
void LLCurl::setCAPath(const std::string& path)
|
||||
|
|
@ -102,6 +106,18 @@ void LLCurl::setCAFile(const std::string& file)
|
|||
sCAFile = file;
|
||||
}
|
||||
|
||||
//static
|
||||
void LLCurl::setSSLVerify(bool verify)
|
||||
{
|
||||
sSSLVerify = verify;
|
||||
}
|
||||
|
||||
//static
|
||||
bool LLCurl::getSSLVerify()
|
||||
{
|
||||
return sSSLVerify;
|
||||
}
|
||||
|
||||
//static
|
||||
std::string LLCurl::getVersionString()
|
||||
{
|
||||
|
|
@ -465,7 +481,8 @@ void LLCurl::Easy::prepRequest(const std::string& url,
|
|||
setErrorBuffer();
|
||||
setCA();
|
||||
|
||||
setopt(CURLOPT_SSL_VERIFYPEER, true);
|
||||
setopt(CURLOPT_SSL_VERIFYPEER, LLCurl::getSSLVerify());
|
||||
setopt(CURLOPT_SSL_VERIFYHOST, LLCurl::getSSLVerify()? 2 : 0);
|
||||
setopt(CURLOPT_TIMEOUT, CURL_REQUEST_TIMEOUT);
|
||||
|
||||
setoptString(CURLOPT_URL, url);
|
||||
|
|
@ -1044,4 +1061,3 @@ void LLCurl::cleanupClass()
|
|||
#endif
|
||||
curl_global_cleanup();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -157,6 +157,16 @@ public:
|
|||
*/
|
||||
static const std::string& getCAPath() { return sCAPath; }
|
||||
|
||||
/**
|
||||
* @ brief Set flag controlling whether to verify HTTPS certs.
|
||||
*/
|
||||
static void setSSLVerify(bool verify);
|
||||
|
||||
/**
|
||||
* @ brief Get flag controlling whether to verify HTTPS certs.
|
||||
*/
|
||||
static bool getSSLVerify();
|
||||
|
||||
/**
|
||||
* @ brief Initialize LLCurl class
|
||||
*/
|
||||
|
|
@ -182,6 +192,7 @@ public:
|
|||
private:
|
||||
static std::string sCAPath;
|
||||
static std::string sCAFile;
|
||||
static bool sSSLVerify;
|
||||
};
|
||||
|
||||
namespace boost
|
||||
|
|
|
|||
|
|
@ -222,7 +222,7 @@ static void request(
|
|||
LLPumpIO::chain_t chain;
|
||||
|
||||
LLURLRequest* req = new LLURLRequest(method, url);
|
||||
req->checkRootCertificate(true);
|
||||
req->checkRootCertificate(LLCurl::getSSLVerify());
|
||||
|
||||
|
||||
lldebugs << LLURLRequest::actionAsVerb(method) << " " << url << " "
|
||||
|
|
|
|||
|
|
@ -163,6 +163,7 @@ void LLURLRequest::setBodyLimit(U32 size)
|
|||
void LLURLRequest::checkRootCertificate(bool check)
|
||||
{
|
||||
mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, (check? TRUE : FALSE));
|
||||
mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, (check? 2 : 0));
|
||||
mDetail->mCurlRequest->setoptString(CURLOPT_ENCODING, "");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -926,7 +926,6 @@ bool LLAppViewer::mainLoop()
|
|||
{
|
||||
LLMemType mt1(LLMemType::MTYPE_MAIN);
|
||||
mMainloopTimeout = new LLWatchdogTimeout();
|
||||
// *FIX:Mani - Make this a setting, once new settings exist in this branch.
|
||||
|
||||
//-------------------------------------------
|
||||
// Run main loop until time to quit
|
||||
|
|
@ -936,12 +935,13 @@ bool LLAppViewer::mainLoop()
|
|||
gServicePump = new LLPumpIO(gAPRPoolp);
|
||||
LLHTTPClient::setPump(*gServicePump);
|
||||
LLCurl::setCAFile(gDirUtilp->getCAFile());
|
||||
LLCurl::setSSLVerify(! gSavedSettings.getBOOL("NoVerifySSLCert"));
|
||||
|
||||
// Note: this is where gLocalSpeakerMgr and gActiveSpeakerMgr used to be instantiated.
|
||||
|
||||
LLVoiceChannel::initClass();
|
||||
LLVoiceClient::init(gServicePump);
|
||||
|
||||
|
||||
LLTimer frameTimer,idleTimer;
|
||||
LLTimer debugTime;
|
||||
LLViewerJoystick* joystick(LLViewerJoystick::getInstance());
|
||||
|
|
|
|||
|
|
@ -252,9 +252,8 @@ void LLXMLRPCTransaction::Impl::init(XMLRPC_REQUEST request, bool useGzip)
|
|||
// mCurlRequest->setopt(CURLOPT_VERBOSE, 1); // usefull for debugging
|
||||
mCurlRequest->setopt(CURLOPT_NOSIGNAL, 1);
|
||||
mCurlRequest->setWriteCallback(&curlDownloadCallback, (void*)this);
|
||||
BOOL vefifySSLCert = !gSavedSettings.getBOOL("NoVerifySSLCert");
|
||||
mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, vefifySSLCert);
|
||||
mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, vefifySSLCert ? 2 : 0);
|
||||
mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, LLCurl::getSSLVerify());
|
||||
mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, LLCurl::getSSLVerify() ? 2 : 0);
|
||||
// Be a little impatient about establishing connections.
|
||||
mCurlRequest->setopt(CURLOPT_CONNECTTIMEOUT, 40L);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue