[Opensim-dev] SSL Certificate Checking Disabling Causing Crash, here's the solution, WAS: [Opensim-users] OpenSim crash

Sun May 29 18:30:21 UTC 2011

Hi,

On Sun, May 29, 2011 at 1:53 PM, Teravus Ovares <teravus at gmail.com> wrote:
> Maybe not.
>
> I sent the 'well rounded', 'well researched' solution. :)  We could
> use it..  or not.

When did this problem crop-up? Is it still possible to use mono 2.4.x
with the 0.7.1 release? I see no problem with upping our mono version
requirement over time, as long as we document it on the wiki and in
the release notes.

That way we can support the evolution of OpenSim without breaking
"production" applications. You basically have two choices:

(1) Want a "stable", production server? Run RHEL with old mono and old
OpenSim version, and don't whine about the lack of features ;)

(2) Want the bleeding edge? Run the latest Fedora or Ubuntu or
OpenSUSE with current mono and OpenSim from git master, or a
known-good build.

Or you could run RHEL anyway and compile newer mono from source.....

I'd bet that bumping our version requirement to mono 2.6 for git
master would enable a few more niceties that we could use in our code
if we wanted to. I don't have a comprehensive list, but I would
surmise that 2.6.x implements quite a few additional APIs. The other
convenient fact is that mono 2.6 is still the official "Long-Term
Supported" version of mono, so it will hopefully get another micro
patch or two for security or bugfixes. We've depended on at least
2.4.x for a while; maybe it's time to move up. That *would* deprecate
quite a few older distros that ship 2.4 or older, but then, people
running those old distros shouldn't expect to run OpenSim from git
master, any more than they'd expect to run Xorg or Gnome3 from git
master :p

Also, last but not least: this could potentially be a very grave
security concern if you're running mono < 2.6 and you end up using the
MonoCert class you implemented. A trivial "return true;" completely
bypasses the intent of the method, which is to validate the server's
certificate. Returning true unconditionally is *very* dishonest, and
gives older mono users a false sense of security if they really depend
upon this working correctly. The software may work without crashing,
but I think we shouldn't allow users the option of screwing themselves
over with insecure software. We should either check the server's
certificate using some other method, or bump our mono version
requirement to 2.6. If this weren't a security-sensitive method, I'd
say go ahead, but I think most users should be made aware of this
problem if we're going to support 2.4.x. At a very minimum, yell
loudly in the log file. But I'd prefer the existing behavior (go ahead
and crash) as a safer alternative.

Maybe catch this particular exception, yell loudly in the log file
"This is happening because your mono is too old; upgrade to 2.6.x or
use OpenSim version x.y.z or earlier", and re-throw it to continue the
crash? That would simultaneously: prevent a security hole; inform the
user clearly of what's wrong; and tell them how to fix it.

Sean

>
> -Teravus
>
> On Sun, May 29, 2011 at 1:48 PM, Melanie <melanie at t-data.com> wrote:
>> Mono 2.6 already supports this. Do we really need to support
>> anything older?
>>
>> Melanie
>>
>> On 29/05/2011 19:44, Teravus Ovares wrote:
>>> Hey all
>>>
>>> Just noticed that we're trying to use
>>> ServicePointManager.ServerCertificateValidationCallback in the
>>> httpserver
>>>
>>> Just a FYI, Not all versions of Mono will support this.    I ran into
>>> that with the OGP module.   There's a workaround.
>>>
>>> Create a class that Implements ICertificatePolicy and return true for
>>> the CheckValidationResult method.
>>>
>>> Example:
>>> public class MonoCert : ICertificatePolicy
>>>     {
>>>         #region ICertificatePolicy Members
>>>
>>>         public bool CheckValidationResult(ServicePoint srvPoint,
>>> X509Certificate certificate, WebRequest request, int
>>> certificateProblem)
>>>         {
>>>             return true;
>>>         }
>>>
>>>         #endregion
>>>     }
>>>
>>> Then, put a 'Not Implemented Exception' handler around the Callback
>>> Assignment and call
>>>
>>> ServicePointManager.CertificatePolicy = New MonoCert();   <----  Class
>>> in example above.
>>>
>>>
>>> This will generate depreciated warnings that you'll need to disable
>>> about having code that mentions ServicePointManager.CertificatePolicy,
>>> however, all new versions of Mono and .NET should use the newer
>>> assignment.
>>>
>>> -- Disable Warnings...
>>> #pragma warning disable 0612, 0618
>>>        // Mono does not implement the
>>> ServicePointManager.ServerCertificateValidationCallback yet!  Don't
>>> remove this!
>>>             ServicePointManager.CertificatePolicy = new MonoCert();
>>> #pragma warning restore 0612, 0618
>>>
>>>
>>> Full Code Example:
>>> http://pastebin.ca/2071657
>>>
>>>
>>> -Teravus
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Teravus Ovares <teravus at gmail.com>
>>> Date: Sun, May 29, 2011 at 1:28 PM
>>> Subject: Re: [Opensim-users] OpenSim crash
>>> To: cliveg at gmail.com, opensim-users at lists.berlios.de
>>>
>>>
>>> I'm not sure if this is implemented in Mono.    It didn't use to be.
>>> Maybe they implemented it recently.   In either case, check your
>>> version of Mono and make sure it supports
>>> ServicePointManager.ServerCertificateValidationCallback
>>>
>>> Regards
>>>
>>> Teravus
>>>
>>> Exception: System.Reflection.TargetInvocationException: Exception has
>>> been thrown by the target of an invocation. --->
>>> System.NotImplementedException: The requested feature is not
>>> implemented.
>>>  at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>> () [0x00000]
>>>  at OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor
>>> () [0x00000]
>>>  at (wrapper managed-to-native)
>>> System.Reflection.MonoCMethod:InternalInvoke
>>> (object,object[],System.Exception&)
>>>
>>> On Sun, May 29, 2011 at 9:11 AM, Clive Gould <cliveg at gmail.com> wrote:
>>>> Hi
>>>>
>>>> I've just upgraded MySQL on our server:
>>>>
>>>> [root at standbyvle ~]# rpm -q mysql
>>>> mysql-5.5.12-1.el5.remi
>>>>
>>>> When I try to startt OpenSim I get the console message below.
>>>>
>>>> Is it the version of MySQL and if so is there any way to get OpenSim 0.7.1
>>>> to work with mysql-5.5.12-1?
>>>>
>>>> Thanks very much
>>>>
>>>> Clive
>>>>
>>>> 14:04:51 - [MODULES]: Loading Region's modules (old style)
>>>> 14:04:52 - [MODULES]: Could not load types for plugin DLL
>>>> OpenSim.Region.CoreModules, Version=0.0.0.0, Culture=neutral,
>>>> PublicKeyToken=null.  Exception Exception has been thrown by the target of
>>>> an invocation.   at System.Reflection.MonoCMethod.Invoke (System.Object obj,
>>>> BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[]
>>>> parameters, System.Globalization.CultureInfo culture) [0x00000]
>>>>   at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
>>>> System.Reflection.Binder binder, System.Object[] parameters,
>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>   at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
>>>> [0x00000]
>>>>   at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
>>>> [0x00000]
>>>>   at System.Activator.CreateInstance (System.Type type) [0x00000]
>>>>   at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
>>>> dllName) [0x00000]
>>>> 14:04:52 - [APPLICATION]:
>>>> APPLICATION EXCEPTION DETECTED: System.UnhandledExceptionEventArgs
>>>>
>>>> Exception: System.Reflection.TargetInvocationException: Exception has been
>>>> thrown by the target of an invocation. ---> System.NotImplementedException:
>>>> The requested feature is not implemented.
>>>>   at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>>> () [0x00000]
>>>>   at
>>>> OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
>>>> [0x00000]
>>>>   at (wrapper managed-to-native)
>>>> System.Reflection.MonoCMethod:InternalInvoke
>>>> (object,object[],System.Exception&)
>>>>   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>   --- End of inner exception stack trace ---
>>>>   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>   at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
>>>> System.Reflection.Binder binder, System.Object[] parameters,
>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>   at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
>>>> [0x00000]
>>>>   at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
>>>> [0x00000]
>>>>   at System.Activator.CreateInstance (System.Type type) [0x00000]
>>>>   at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
>>>> dllName) [0x00000]
>>>> InnerException: System.NotImplementedException: The requested feature is not
>>>> implemented.
>>>>   at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>>> () [0x00000]
>>>>   at
>>>> OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
>>>> [0x00000]
>>>>   at (wrapper managed-to-native)
>>>> System.Reflection.MonoCMethod:InternalInvoke
>>>> (object,object[],System.Exception&)
>>>>   at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>
>>>> Application is terminating: True
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> Opensim-users at lists.berlios.de
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>
>>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>