Jump to content
Oz Linden

Don't check HTTP-in URL domains

Recommended Posts

This is a heads-up for anyone who is using llRequestURL or llRequestSecureURL...

It has come to our attention that some users may be validating that the returned URLs are in the domain they expect, presumably by matching them against something like 'sim.*\.agni\.lindenlab\.com'. These checks may have been inspired by simulator bugs that at one time or another have caused URLs to be returned that didn't work because some part of the domain name was missing.

You should not attempt to validate the contents of the URL. The contents, including the domain name, returned by either of those methods will change when we begin using simulators in the cloud, and possibly sooner. The URLs returned will work (they already have for us in our own internal testing) but you should not assume anything about the URL contents - including the domain name, port number, or anything else.

If you need to be sure that the URL as sent to some client is working, we suggest that you implement a simple health check capability in the handler for your inbound requests rather than attempting to predict whether or not through any examination of the URL contents.

If you have URL content checks in your system now, we suggest that you remove them as soon as possible.

  • Like 2
  • Thanks 9

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for coming through and offering the heads up on this particular issue.

I hope to see more of these kinds of announcements in the future if/when LL plans on changing things that might cause content breakage or interruption in script-dependent services.

@Oz Linden I would pin this post temporarily at least for a few months, else it will get lost in a sea of new posts.

Edited by Lucia Nightfire
  • Like 1

Share this post


Link to post
Share on other sites

There are places inside the viewer code that may think they know a little too much about SL URLs:

grep "secondlife.com" *.cpp
fsgridhandler.cpp:const char* MAIN_GRID_SLURL_BASE = "http://maps.secondlife.com/secondlife/";
fsslurl.cpp:const char* LLSLURL::MAPS_SECONDLIFE_COM         = "maps.secondlife.com";
fsslurl.cpp:                // (or its a slurl.com or maps.secondlife.com URL).
llappviewer.cpp:        LL_ERRS() << "Viewer failed to find localization and UI files. Please reinstall viewer from  https://secondlife.com/support/downloads/ and contact https://support.secondlife.com if issue persists after reinstall." << LL_ENDL;
llappviewer.cpp:    // https://releasenotes.secondlife.com/viewer/2.1.0.123456.html
llfloaterland.cpp:    // the search crawler "grid-crawl.py" in secondlife.com/doc/app/search/ JC
llfloatermodelpreview.cpp:    //    validate_url = "http://secondlife.com/my/account/mesh.php";
llfloatermodelpreview.cpp:        validate_url = "http://secondlife.com/my/account/mesh.php";
llfloatermodelpreview.cpp:            if (num_hulls > 256) // decomp cannot have more than 256 hulls (http://wiki.secondlife.com/wiki/Mesh/Mesh_physics)
llimprocessing.cpp:        indx = msg.find(" ( http://maps.secondlife.com/secondlife/");
llmarketplacefunctions.cpp:        std::string domain = "secondlife.com";
llmeshrepository.cpp://       http://wiki.secondlife.com/wiki/Mesh/Mesh_Asset_Format)
llmeshrepository.cpp:// See wiki at https://wiki.secondlife.com/wiki/Mesh/Mesh_Asset_Format
llslurl.cpp:const char* LLSLURL::MAPS_SECONDLIFE_COM         = "maps.secondlife.com";
llslurl.cpp:                // (or its a slurl.com or maps.secondlife.com URL).
llstartup.cpp:        gSavedSettings.setString("MapServerURL", "http://test.map.secondlife.com.s3.amazonaws.com/");
llviewercontrol.cpp:    // AO - Phoenixviewer doesn't want to send unecessary noise to secondlife.com
llviewercontrol.cpp:    //if((std::string)test_BrowserHomePage != "http://www.secondlife.com") LL_ERRS() << "Fail BrowserHomePage" << LL_ENDL;
llviewernetwork.cpp:const std::string SL_UPDATE_QUERY_URL = "https://update.secondlife.com/update";
llviewernetwork.cpp:const std::string MAIN_GRID_SLURL_BASE = "http://maps.secondlife.com/secondlife/";
llviewernetwork.cpp:const std::string MAIN_GRID_WEB_PROFILE_URL = "https://my.secondlife.com/";
llviewernetwork.cpp:    // This file does not contain definitions for secondlife.com grids,
llviewernetwork.cpp:                  "https://secondlife.com/helpers/",
llweb.cpp:        substitution["GRID"] = "secondlife.com";
llweb.cpp:        //boost::regex pattern = boost::regex("\\b(lindenlab.com|secondlife.com)$", boost::regex::perl|boost::regex::icase);
llweb.cpp:        boost::regex pattern = boost::regex("\\b(lindenlab.com|secondlife.com|secondlifegrid.net|secondlife-status.statuspage.io)$", boost::regex::perl|boost::regex::icase);
llwebprofile.cpp: *    -> GET https://my-demo.secondlife.com/ via LLViewerMediaWebProfileResponder
llwebprofile.cpp: *    -> GET "https://my-demo.secondlife.com/snapshots/s3_upload_config" via ConfigResponder
llxmlrpctransaction.cpp:    std::string uri = "http://support.secondlife.com";

Some of those are OK, and some may need attention.

 

Share this post


Link to post
Share on other sites

Speaking of llRequestSecureURL(), I got an issue recently:

curl https://simXXXXX.agni.lindenlab.com:12043/cap/4700d12c-7c84-580a-892c-1f997899a73b
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The workaround is to disable the check, but then it's less secure of course.

Share this post


Link to post
Share on other sites
1 hour ago, Twisted Pharaoh said:

Speaking of llRequestSecureURL(), I got an issue recently:


curl https://simXXXXX.agni.lindenlab.com:12043/cap/4700d12c-7c84-580a-892c-1f997899a73b
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What's using "curl"?

You probably need a version of "curl" that uses a more recent root certificate store. See:

https://jira.secondlife.com/browse/BUG-228848

https://www.ssl.com/blogs/addtrust-external-ca-root-expired-may-30-2020/

 

 

Share this post


Link to post
Share on other sites
10 minutes ago, animats said:

What's using "curl"?

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1g zlib/1.2.11 libidn2/2.3.0 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

This is the stock curl that comes with Ubuntu 18.04, the system is up to date. I've done a dist-upgrade as suggested by your link that did not help, as I am regularly doing it anyways. However I'll move to Ubuntu 20.04 when it becomes official (should be next month) and will check again then. Thanks for the links.

 

Share this post


Link to post
Share on other sites

Wait, when did this happen? All the servers just got a more recent SSL certificate store, because an important root cert expired June 1. It should work now with a current "curl", but it wouldn't have worked for a few days last week.

Try putting the URL into one of the SSL certificate chain checker sites, like https://www.sslchecker.com/sslchecker and see what error messages you get.

Share this post


Link to post
Share on other sites
2 hours ago, Twisted Pharaoh said:

The workaround is to disable the check, but then it's less secure of course.

The real solution is to download and install the Linden Lab root Certificate Authority certificate and add it to the CA store on your system.  Simulator certificates are signed by our internal CA cert, which is included in the viewer.

You can download it from https://bitbucket.org/lindenlab/llca/raw/master/LindenLab.crt

  • Thanks 3

Share this post


Link to post
Share on other sites

Ok thanks, that one worked.

For those who are interested, on Ubuntu I installed it with:

mv LindenLab.crt /usr/local/share/ca-certificates/
update-ca-certificates

 

 

Share this post


Link to post
Share on other sites
On 6/9/2020 at 3:28 PM, Oz Linden said:

The real solution is to download and install the Linden Lab root Certificate Authority certificate and add it to the CA store on your system.  Simulator certificates are signed by our internal CA cert, which is included in the viewer.

You can download it from https://bitbucket.org/lindenlab/llca/raw/master/LindenLab.crt

I recently came across this very issue, which it's convenient how recent this thread is. Perhaps adding some kind of note about this on wiki/LlRequestSecureURL could be useful for future users who want secure URLs interacting with their own servers?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...