[Opensim-dev] SSL Certificate Checking Disabling Causing Crash, here's the solution, WAS: [Opensim-users] OpenSim crash

Sun May 29 19:29:39 UTC 2011

Mono 2.4.3 implements ServicePointManager.get_ServerCertificateValidationCallback() but Mono 2.4.2.3 does not.  Hence 
mono 2.4.3 is now the minimum version unless one applies Teravus' workaround.  However, I don't know if this would also 
affect some of BlueWall's recent SSL work.

I don't think that mono 2.4.3 is an unreasonable requirement as it was released in Dec 2009 and all the major Linux 
distros are on at least the 2.6 series now.

On 29/05/11 19:56, Teravus Ovares wrote:
> Sean
>
> Just a note, this issue is regarding HTTP Requests from the script
> engine. The SSL Certificate checking is disable-able via a LSL
> command:
> http://lslwiki.net/lslwiki/wakka.php?wakka=llHTTPRequest
>
> HTTP_VERIFY_CERT  3 integer  TRUE  If TRUE, the server SSL certificate
> must be verifiable using one of the standard certificate authorities
> when making HTTPS requests. If FALSE, any server SSL certificate will
> be accepted. (Supported in version 1.10.4)
>
> In order to maintain reasonable expectation that scripts using
> llHTTPRequest will function on OpenSimulator, providing the option of
> disabling SSL Certificate checking is /Required/.
>
> -Teravus
>
>
> On Sun, May 29, 2011 at 2:30 PM, Sean McNamara<smcnam at gmail.com>  wrote:
>> Hi,
>>
>> On Sun, May 29, 2011 at 1:53 PM, Teravus Ovares<teravus at gmail.com>  wrote:
>>> Maybe not.
>>>
>>> I sent the 'well rounded', 'well researched' solution. :)  We could
>>> use it..  or not.
>>
>> When did this problem crop-up? Is it still possible to use mono 2.4.x
>> with the 0.7.1 release? I see no problem with upping our mono version
>> requirement over time, as long as we document it on the wiki and in
>> the release notes.
>>
>> That way we can support the evolution of OpenSim without breaking
>> "production" applications. You basically have two choices:
>>
>> (1) Want a "stable", production server? Run RHEL with old mono and old
>> OpenSim version, and don't whine about the lack of features ;)
>>
>> (2) Want the bleeding edge? Run the latest Fedora or Ubuntu or
>> OpenSUSE with current mono and OpenSim from git master, or a
>> known-good build.
>>
>> Or you could run RHEL anyway and compile newer mono from source.....
>>
>> I'd bet that bumping our version requirement to mono 2.6 for git
>> master would enable a few more niceties that we could use in our code
>> if we wanted to. I don't have a comprehensive list, but I would
>> surmise that 2.6.x implements quite a few additional APIs. The other
>> convenient fact is that mono 2.6 is still the official "Long-Term
>> Supported" version of mono, so it will hopefully get another micro
>> patch or two for security or bugfixes. We've depended on at least
>> 2.4.x for a while; maybe it's time to move up. That *would* deprecate
>> quite a few older distros that ship 2.4 or older, but then, people
>> running those old distros shouldn't expect to run OpenSim from git
>> master, any more than they'd expect to run Xorg or Gnome3 from git
>> master :p
>>
>> Also, last but not least: this could potentially be a very grave
>> security concern if you're running mono<  2.6 and you end up using the
>> MonoCert class you implemented. A trivial "return true;" completely
>> bypasses the intent of the method, which is to validate the server's
>> certificate. Returning true unconditionally is *very* dishonest, and
>> gives older mono users a false sense of security if they really depend
>> upon this working correctly. The software may work without crashing,
>> but I think we shouldn't allow users the option of screwing themselves
>> over with insecure software. We should either check the server's
>> certificate using some other method, or bump our mono version
>> requirement to 2.6. If this weren't a security-sensitive method, I'd
>> say go ahead, but I think most users should be made aware of this
>> problem if we're going to support 2.4.x. At a very minimum, yell
>> loudly in the log file. But I'd prefer the existing behavior (go ahead
>> and crash) as a safer alternative.
>>
>> Maybe catch this particular exception, yell loudly in the log file
>> "This is happening because your mono is too old; upgrade to 2.6.x or
>> use OpenSim version x.y.z or earlier", and re-throw it to continue the
>> crash? That would simultaneously: prevent a security hole; inform the
>> user clearly of what's wrong; and tell them how to fix it.
>>
>> Sean
>>
>>>
>>> -Teravus
>>>
>>> On Sun, May 29, 2011 at 1:48 PM, Melanie<melanie at t-data.com>  wrote:
>>>> Mono 2.6 already supports this. Do we really need to support
>>>> anything older?
>>>>
>>>> Melanie
>>>>
>>>> On 29/05/2011 19:44, Teravus Ovares wrote:
>>>>> Hey all
>>>>>
>>>>> Just noticed that we're trying to use
>>>>> ServicePointManager.ServerCertificateValidationCallback in the
>>>>> httpserver
>>>>>
>>>>> Just a FYI, Not all versions of Mono will support this.    I ran into
>>>>> that with the OGP module.   There's a workaround.
>>>>>
>>>>> Create a class that Implements ICertificatePolicy and return true for
>>>>> the CheckValidationResult method.
>>>>>
>>>>> Example:
>>>>> public class MonoCert : ICertificatePolicy
>>>>>      {
>>>>>          #region ICertificatePolicy Members
>>>>>
>>>>>          public bool CheckValidationResult(ServicePoint srvPoint,
>>>>> X509Certificate certificate, WebRequest request, int
>>>>> certificateProblem)
>>>>>          {
>>>>>              return true;
>>>>>          }
>>>>>
>>>>>          #endregion
>>>>>      }
>>>>>
>>>>> Then, put a 'Not Implemented Exception' handler around the Callback
>>>>> Assignment and call
>>>>>
>>>>> ServicePointManager.CertificatePolicy = New MonoCert();<----  Class
>>>>> in example above.
>>>>>
>>>>>
>>>>> This will generate depreciated warnings that you'll need to disable
>>>>> about having code that mentions ServicePointManager.CertificatePolicy,
>>>>> however, all new versions of Mono and .NET should use the newer
>>>>> assignment.
>>>>>
>>>>> -- Disable Warnings...
>>>>> #pragma warning disable 0612, 0618
>>>>>         // Mono does not implement the
>>>>> ServicePointManager.ServerCertificateValidationCallback yet!  Don't
>>>>> remove this!
>>>>>              ServicePointManager.CertificatePolicy = new MonoCert();
>>>>> #pragma warning restore 0612, 0618
>>>>>
>>>>>
>>>>> Full Code Example:
>>>>> http://pastebin.ca/2071657
>>>>>
>>>>>
>>>>> -Teravus
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Teravus Ovares<teravus at gmail.com>
>>>>> Date: Sun, May 29, 2011 at 1:28 PM
>>>>> Subject: Re: [Opensim-users] OpenSim crash
>>>>> To: cliveg at gmail.com, opensim-users at lists.berlios.de
>>>>>
>>>>>
>>>>> I'm not sure if this is implemented in Mono.    It didn't use to be.
>>>>> Maybe they implemented it recently.   In either case, check your
>>>>> version of Mono and make sure it supports
>>>>> ServicePointManager.ServerCertificateValidationCallback
>>>>>
>>>>> Regards
>>>>>
>>>>> Teravus
>>>>>
>>>>> Exception: System.Reflection.TargetInvocationException: Exception has
>>>>> been thrown by the target of an invocation. --->
>>>>> System.NotImplementedException: The requested feature is not
>>>>> implemented.
>>>>>   at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>>>> () [0x00000]
>>>>>   at OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor
>>>>> () [0x00000]
>>>>>   at (wrapper managed-to-native)
>>>>> System.Reflection.MonoCMethod:InternalInvoke
>>>>> (object,object[],System.Exception&)
>>>>>
>>>>> On Sun, May 29, 2011 at 9:11 AM, Clive Gould<cliveg at gmail.com>  wrote:
>>>>>> Hi
>>>>>>
>>>>>> I've just upgraded MySQL on our server:
>>>>>>
>>>>>> [root at standbyvle ~]# rpm -q mysql
>>>>>> mysql-5.5.12-1.el5.remi
>>>>>>
>>>>>> When I try to startt OpenSim I get the console message below.
>>>>>>
>>>>>> Is it the version of MySQL and if so is there any way to get OpenSim 0.7.1
>>>>>> to work with mysql-5.5.12-1?
>>>>>>
>>>>>> Thanks very much
>>>>>>
>>>>>> Clive
>>>>>>
>>>>>> 14:04:51 - [MODULES]: Loading Region's modules (old style)
>>>>>> 14:04:52 - [MODULES]: Could not load types for plugin DLL
>>>>>> OpenSim.Region.CoreModules, Version=0.0.0.0, Culture=neutral,
>>>>>> PublicKeyToken=null.  Exception Exception has been thrown by the target of
>>>>>> an invocation.   at System.Reflection.MonoCMethod.Invoke (System.Object obj,
>>>>>> BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[]
>>>>>> parameters, System.Globalization.CultureInfo culture) [0x00000]
>>>>>>    at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
>>>>>> System.Reflection.Binder binder, System.Object[] parameters,
>>>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>>>    at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
>>>>>> [0x00000]
>>>>>>    at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
>>>>>> [0x00000]
>>>>>>    at System.Activator.CreateInstance (System.Type type) [0x00000]
>>>>>>    at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
>>>>>> dllName) [0x00000]
>>>>>> 14:04:52 - [APPLICATION]:
>>>>>> APPLICATION EXCEPTION DETECTED: System.UnhandledExceptionEventArgs
>>>>>>
>>>>>> Exception: System.Reflection.TargetInvocationException: Exception has been
>>>>>> thrown by the target of an invocation. --->  System.NotImplementedException:
>>>>>> The requested feature is not implemented.
>>>>>>    at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>>>>> () [0x00000]
>>>>>>    at
>>>>>> OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
>>>>>> [0x00000]
>>>>>>    at (wrapper managed-to-native)
>>>>>> System.Reflection.MonoCMethod:InternalInvoke
>>>>>> (object,object[],System.Exception&)
>>>>>>    at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>>>    --- End of inner exception stack trace ---
>>>>>>    at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>>>    at System.Reflection.MonoCMethod.Invoke (BindingFlags invokeAttr,
>>>>>> System.Reflection.Binder binder, System.Object[] parameters,
>>>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>>>    at System.Reflection.ConstructorInfo.Invoke (System.Object[] parameters)
>>>>>> [0x00000]
>>>>>>    at System.Activator.CreateInstance (System.Type type, Boolean nonPublic)
>>>>>> [0x00000]
>>>>>>    at System.Activator.CreateInstance (System.Type type) [0x00000]
>>>>>>    at OpenSim.Region.Framework.ModuleLoader.LoadModules (System.String
>>>>>> dllName) [0x00000]
>>>>>> InnerException: System.NotImplementedException: The requested feature is not
>>>>>> implemented.
>>>>>>    at System.Net.ServicePointManager.get_ServerCertificateValidationCallback
>>>>>> () [0x00000]
>>>>>>    at
>>>>>> OpenSim.Region.CoreModules.Scripting.HttpRequest.HttpRequestModule..ctor ()
>>>>>> [0x00000]
>>>>>>    at (wrapper managed-to-native)
>>>>>> System.Reflection.MonoCMethod:InternalInvoke
>>>>>> (object,object[],System.Exception&)
>>>>>>    at System.Reflection.MonoCMethod.Invoke (System.Object obj, BindingFlags
>>>>>> invokeAttr, System.Reflection.Binder binder, System.Object[] parameters,
>>>>>> System.Globalization.CultureInfo culture) [0x00000]
>>>>>>
>>>>>> Application is terminating: True
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> Opensim-users at lists.berlios.de
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Opensim-dev mailing list
>>>>> Opensim-dev at lists.berlios.de
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Opensim-dev mailing list
>>>> Opensim-dev at lists.berlios.de
>>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

-- 
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc