Re: [Opensim-dev] SSL Certificate Checking Disabling Causing Crash, here's the solution, WAS: [Opensim-users] OpenSim crash

Sun, 29 May 2011 12:29:56 -0700

Mono 2.4.3 implements ServicePointManager.get_ServerCertificateValidationCallback() but Mono 2.4.2.3 does not. Hence mono 2.4.3 is now the minimum version unless one applies Teravus' workaround. However, I don't know if this would also affect some of BlueWall's recent SSL work.
I don't think that mono 2.4.3 is an unreasonable requirement as it was released in Dec 2009 and all the major Linux distros are on at least the 2.6 series now. 

On 29/05/11 19:56, Teravus Ovares wrote:

Sean

Just a note, this issue is regarding HTTP Requests from the script
engine. The SSL Certificate checking is disable-able via a LSL
command:
http://lslwiki.net/lslwiki/wakka.php?wakka=llHTTPRequest

HTTP_VERIFY_CERT  3 integer  TRUE  If TRUE, the server SSL certificate
must be verifiable using one of the standard certificate authorities
when making HTTPS requests. If FALSE, any server SSL certificate will
be accepted. (Supported in version 1.10.4)

In order to maintain reasonable expectation that scripts using
llHTTPRequest will function on OpenSimulator, providing the option of
disabling SSL Certificate checking is /Required/.

-Teravus


On Sun, May 29, 2011 at 2:30 PM, Sean McNamara<[email protected]>  wrote:

Hi,

On Sun, May 29, 2011 at 1:53 PM, Teravus Ovares<[email protected]>  wrote:

Maybe not.

I sent the 'well rounded', 'well researched' solution. :)  We could
use it..  or not.


When did this problem crop-up? Is it still possible to use mono 2.4.x
with the 0.7.1 release? I see no problem with upping our mono version
requirement over time, as long as we document it on the wiki and in
the release notes.

That way we can support the evolution of OpenSim without breaking
"production" applications. You basically have two choices:

(1) Want a "stable", production server? Run RHEL with old mono and old
OpenSim version, and don't whine about the lack of features ;)

(2) Want the bleeding edge? Run the latest Fedora or Ubuntu or
OpenSUSE with current mono and OpenSim from git master, or a
known-good build.

Or you could run RHEL anyway and compile newer mono from source.....

I'd bet that bumping our version requirement to mono 2.6 for git
master would enable a few more niceties that we could use in our code
if we wanted to. I don't have a comprehensive list, but I would
surmise that 2.6.x implements quite a few additional APIs. The other
convenient fact is that mono 2.6 is still the official "Long-Term
Supported" version of mono, so it will hopefully get another micro
patch or two for security or bugfixes. We've depended on at least
2.4.x for a while; maybe it's time to move up. That *would* deprecate
quite a few older distros that ship 2.4 or older, but then, people
running those old distros shouldn't expect to run OpenSim from git
master, any more than they'd expect to run Xorg or Gnome3 from git
master :p

Also, last but not least: this could potentially be a very grave
security concern if you're running mono<  2.6 and you end up using the
MonoCert class you implemented. A trivial "return true;" completely
bypasses the intent of the method, which is to validate the server's
certificate. Returning true unconditionally is *very* dishonest, and
gives older mono users a false sense of security if they really depend
upon this working correctly. The software may work without crashing,
but I think we shouldn't allow users the option of screwing themselves
over with insecure software. We should either check the server's
certificate using some other method, or bump our mono version
requirement to 2.6. If this weren't a security-sensitive method, I'd
say go ahead, but I think most users should be made aware of this
problem if we're going to support 2.4.x. At a very minimum, yell
loudly in the log file. But I'd prefer the existing behavior (go ahead
and crash) as a safer alternative.

Maybe catch this particular exception, yell loudly in the log file
"This is happening because your mono is too old; upgrade to 2.6.x or
use OpenSim version x.y.z or earlier", and re-throw it to continue the
crash? That would simultaneously: prevent a security hole; inform the
user clearly of what's wrong; and tell them how to fix it.

Sean



-Teravus

On Sun, May 29, 2011 at 1:48 PM, Melanie<[email protected]>  wrote:

Mono 2.6 already supports this. Do we really need to support
anything older?

Melanie

On 29/05/2011 19:44, Teravus Ovares wrote:

Hey all

Just noticed that we're trying to use
ServicePointManager.ServerCertificateValidationCallback in the
httpserver

Just a FYI, Not all versions of Mono will support this.    I ran into
that with the OGP module.   There's a workaround.

Create a class that Implements ICertificatePolicy and return true for
the CheckValidationResult method.

Example:
public class MonoCert : ICertificatePolicy
     {
         #region ICertificatePolicy Members

         public bool CheckValidationResult(ServicePoint srvPoint,
X509Certificate certificate, WebRequest request, int
certificateProblem)
         {
             return true;
         }

         #endregion
     }

Then, put a 'Not Implemented Exception' handler around the Callback
Assignment and call

ServicePointManager.CertificatePolicy = New MonoCert();<----  Class
in example above.


This will generate depreciated warnings that you'll need to disable
about having code that mentions ServicePointManager.CertificatePolicy,
however, all new versions of Mono and .NET should use the newer
assignment.

-- Disable Warnings...
#pragma warning disable 0612, 0618
        // Mono does not implement the
ServicePointManager.ServerCertificateValidationCallback yet!  Don't
remove this!
             ServicePointManager.CertificatePolicy = new MonoCert();
#pragma warning restore 0612, 0618


Full Code Example:
http://pastebin.ca/2071657


-Teravus


---------- Forwarded message ----------
From: Teravus Ovares<[email protected]>
Date: Sun, May 29, 2011 at 1:28 PM
Subject: Re: [Opensim-users] OpenSim crash
To: [email protected], [email protected]


I'm not sure if this is implemented in Mono.    It didn't use to be.
Maybe they implemented it recently.   In either case, check your
version of Mono and make sure it supports
ServicePointManager.ServerCertificateValidationCallback

Regards

Teravus

Exception: System.Reflection.TargetInvocationException: Exception has
been thrown by the target of an invocation. --->
System.NotImplementedException: The requested feature is not
implemented.
  at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
() [0x00000]
  at OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor
() [0x00000]
  at (wrapper managed-to-native)
System.Reflection.MonoCMethod:InternalInvoke
(object,object[],System.Exception&)

On Sun, May 29, 2011 at 9:11 AM, Clive Gould<[email protected]>  wrote:

Hi

I've just upgraded MySQL on our server:

[root@standbyvle ~]# rpm -q mysql
mysql-5.5.12-1.el5.remi

When I try to startt OpenSim I get the console message below.

Is it the version of MySQL and if so is there any way to get OpenSim 0.7.1
to work with mysql-5.5.12-1?

Thanks very much

Clive

14:04:51 - [MODULES]: Loading Region's modules (old style)
14:04:52 - [MODULES]: Could not load types for plugin DLL
OpenSim.Region.CoreModules, Version=0.0.0.0, Culture=neutral,
PublicKeyToken=null.  Exception Exception has been thrown by the target of
an invocation.   at System.Reflection.MonoCMethod.Invoke (System.Object obj,
BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[]
parameters, System.Globalization.CultureInfo culture) [0x00000]
   at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
System.Reflection.Binder binder, System.Object[] parameters,
System.Globalization.CultureInfo culture) [0x00000]
   at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
[0x00000]
   at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
[0x00000]
   at System.Activator.CreateInstance (System.Type type) [0x00000]
   at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
dllName) [0x00000]
14:04:52 - [APPLICATION]:
APPLICATION EXCEPTION DETECTED: System.UnhandledExceptionEventArgs

Exception: System.Reflection.TargetInvocationException: Exception has been
thrown by the target of an invocation. --->  System.NotImplementedException:
The requested feature is not implemented.
   at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
() [0x00000]
   at
OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
[0x00000]
   at (wrapper managed-to-native)
System.Reflection.MonoCMethod:InternalInvoke
(object,object[],System.Exception&)
   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
System.Globalization.CultureInfo culture) [0x00000]
   --- End of inner exception stack trace ---
   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
System.Globalization.CultureInfo culture) [0x00000]
   at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
System.Reflection.Binder binder, System.Object[] parameters,
System.Globalization.CultureInfo culture) [0x00000]
   at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
[0x00000]
   at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
[0x00000]
   at System.Activator.CreateInstance (System.Type type) [0x00000]
   at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
dllName) [0x00000]
InnerException: System.NotImplementedException: The requested feature is not
implemented.
   at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
() [0x00000]
   at
OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
[0x00000]
   at (wrapper managed-to-native)
System.Reflection.MonoCMethod:InternalInvoke
(object,object[],System.Exception&)
   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
System.Globalization.CultureInfo culture) [0x00000]

Application is terminating: True




_______________________________________________
Opensim-users mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-users



_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev



_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev




--
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev






















					Reply via email to