Make NoVerifySSLCert work for all LLURLRequest

Moved CURLOPT_ENCODING from CurlEasyRequest::setPost_raw, and
CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST from
CurlResponderBuffer::prepRequest, to LLURLRequest::configure,
enabling the debug setting NoVerifySSLCert for the latter
two to work as follows: old behavior if "NoVerifySSLCert"
is not set, and check neither if it is set. However, if
the (new) bool mIsAuth is set the behavior of LLXMLRPCTransaction::Impl::init
is used. This is so in a next commit we can replace
LLXMLRPCTransaction with LLURLRequest: LLXMLRPCTransaction::Impl::init
will be removed. For the same reason, when the new boolean
mNoCompression is set then CURLOPT_ENCODING is set to "identity",
otherwise the old behavior (of clearing it) is used.

indra/aistatemachine/aicurl.cpp

@@ -59,6 +59,12 @@
 #include "aihttptimeoutpolicy.h"
 #include "aicurleasyrequeststatemachine.h"
 
+//==================================================================================
+// Debug Settings
+//
+
+bool gNoVerifySSLCert;
+
 //==================================================================================
 // Local variables.
 //
@@ -828,9 +834,6 @@ void CurlEasyRequest::setPost_raw(U32 size, char const* data)
 	DoutCurl("POST size is " << size << " bytes.");
   }
 
-  // Accept everything (send an Accept-Encoding header containing all encodings we support (zlib and gzip)).
-  setoptString(CURLOPT_ENCODING, "");	// CURLOPT_ACCEPT_ENCODING
-
   // The server never replies with 100-continue, so suppress the "Expect: 100-continue" header that libcurl adds by default.
   addHeader("Expect:");
   if (size > 0)
@@ -1367,10 +1370,6 @@ void CurlResponderBuffer::prepRequest(AICurlEasyRequest_wat& curl_easy_request_w
 	curl_easy_request_w->setopt(CURLOPT_MAXREDIRS, HTTP_REDIRECTS_DEFAULT);
   }
 
-  curl_easy_request_w->setopt(CURLOPT_SSL_VERIFYPEER, 1);
-  // Don't verify host name so urls with scrubbed host names will work (improves DNS performance).
-  curl_easy_request_w->setopt(CURLOPT_SSL_VERIFYHOST, 0);
-
   // Keep responder alive.
   mResponder = responder;
   // Send header events to responder if needed.

indra/aistatemachine/aicurl.h

@@ -54,6 +54,8 @@
 #include "aithreadsafe.h"
 #include "aihttpheaders.h"
 
+extern bool gNoVerifySSLCert;
+
 class LLSD;
 class LLBufferArray;
 class LLChannelDescriptors;
@@ -147,7 +149,7 @@ struct TransferInfo {
 void initCurl(void (*)(void) = NULL);
 
 // Called once at start of application (from LLAppViewer::initThreads), starts AICurlThread.
-void startCurlThread(U32 CurlConcurrentConnections);
+void startCurlThread(U32 CurlConcurrentConnections, bool NoVerifySSLCert);
 
 // Called once at end of application (from newview/llappviewer.cpp by main thread),
 // with purpose to stop curl threads, free curl resources and deinitialize curl.

indra/aistatemachine/aicurlthread.cpp

@@ -2482,12 +2482,13 @@ void AICurlEasyRequest::removeRequest(void)
 
 namespace AICurlInterface {
 
-void startCurlThread(U32 CurlConcurrentConnections)
+void startCurlThread(U32 CurlConcurrentConnections, bool NoVerifySSLCert)
 {
   using namespace AICurlPrivate::curlthread;
 
   llassert(is_main_thread());
   curl_concurrent_connections = CurlConcurrentConnections;	// Debug Setting.
+  gNoVerifySSLCert = NoVerifySSLCert;						// Debug Setting.
   AICurlThread::sInstance = new AICurlThread;
   AICurlThread::sInstance->start();
 }

indra/llmessage/llhttpclient.cpp

@@ -149,7 +149,9 @@ static void request(
 	LLURLRequest::ERequestAction method,
 	Injector* body_injector,
 	LLCurl::ResponderPtr responder,
-	AIHTTPHeaders& headers)
+	AIHTTPHeaders& headers,
+	bool is_auth = false,
+	bool no_compression = false)
 {
 	if (responder)
 	{
@@ -160,7 +162,7 @@ static void request(
 	LLURLRequest* req;
 	try
 	{
-		req = new LLURLRequest(method, url, body_injector, responder, headers);
+		req = new LLURLRequest(method, url, body_injector, responder, headers, is_auth, no_compression);
 	}
 	catch(AICurlNoEasyHandle& error)
 	{

indra/llmessage/llurlrequest.cpp

@@ -113,8 +113,10 @@ std::string LLURLRequest::actionAsVerb(LLURLRequest::ERequestAction action)
 }
 
 // This might throw AICurlNoEasyHandle.
-LLURLRequest::LLURLRequest(LLURLRequest::ERequestAction action, std::string const& url, Injector* body, AICurlInterface::ResponderPtr responder, AIHTTPHeaders& headers) :
-    AICurlEasyRequestStateMachine(true), mAction(action), mURL(url), mBody(body), mResponder(responder), mHeaders(headers)
+LLURLRequest::LLURLRequest(LLURLRequest::ERequestAction action, std::string const& url, Injector* body,
+	AICurlInterface::ResponderPtr responder, AIHTTPHeaders& headers, bool is_auth, bool no_compression) :
+    AICurlEasyRequestStateMachine(true), mAction(action), mURL(url), mIsAuth(is_auth), mNoCompression(no_compression),
+	mBody(body), mResponder(responder), mHeaders(headers)
 {
 }
 
@@ -507,7 +509,7 @@ bool LLURLRequest::configure(AICurlEasyRequest_wat const& curlEasyRequest_w)
 			curlEasyRequest_w->setopt(CURLOPT_FOLLOWLOCATION, 1);
 
 			// Set Accept-Encoding to allow response compression
-			curlEasyRequest_w->setoptString(CURLOPT_ENCODING, "");
+			curlEasyRequest_w->setoptString(CURLOPT_ENCODING, mNoCompression ? "identity" : "");
 			rv = true;
 			break;
 
@@ -525,6 +527,9 @@ bool LLURLRequest::configure(AICurlEasyRequest_wat const& curlEasyRequest_w)
 		{
 			// Set the handle for an http post
 			curlEasyRequest_w->setPost(mBodySize);
+
+			// Set Accept-Encoding to allow response compression
+			curlEasyRequest_w->setoptString(CURLOPT_ENCODING, mNoCompression ? "identity" : "");
 			rv = true;
 			break;
 		}
@@ -546,6 +551,10 @@ bool LLURLRequest::configure(AICurlEasyRequest_wat const& curlEasyRequest_w)
 		}
 		if(rv)
 		{
+			curlEasyRequest_w->setopt(CURLOPT_SSL_VERIFYPEER, gNoVerifySSLCert ? 0L : 1L);
+			// Don't verify host name if this is not an authentication request,
+			// so urls with scrubbed host names will work (improves DNS performance).
+			curlEasyRequest_w->setopt(CURLOPT_SSL_VERIFYHOST, (gNoVerifySSLCert || !mIsAuth) ? 0L : 2L);
 			curlEasyRequest_w->finalizeRequest(mURL, mResponder->getHTTPTimeoutPolicy(), this);
 		}
 	}

indra/llmessage/llurlrequest.h

@@ -75,7 +75,7 @@ class LLURLRequest : public AICurlEasyRequestStateMachine {
 	 * @param action One of the ERequestAction enumerations.
 	 * @param url The url of the request. It should already be encoded.
 	 */
-	LLURLRequest(ERequestAction action, std::string const& url, Injector* body, AICurlInterface::ResponderPtr responder, AIHTTPHeaders& headers);
+	LLURLRequest(ERequestAction action, std::string const& url, Injector* body, AICurlInterface::ResponderPtr responder, AIHTTPHeaders& headers, bool is_auth, bool no_compression);
 
 	/**
 	 * @brief Turn on cookie handling for this request with CURLOPT_COOKIEFILE.
@@ -109,6 +109,8 @@ class LLURLRequest : public AICurlEasyRequestStateMachine {
   private:
 	ERequestAction mAction;
 	std::string mURL;
+	bool mIsAuth;						// Set for authentication messages (login, buy land, buy currency).
+	bool mNoCompression;				// Set to disable using gzip.
 	Injector* mBody;					// Non-zero iff the action is HTTP_POST and HTTP_PUT.
 	U32 mBodySize;
 	AICurlInterface::ResponderPtr mResponder;

indra/newview/app_settings/settings.xml

@@ -9059,7 +9059,7 @@
     <key>NoVerifySSLCert</key>
     <map>
       <key>Comment</key>
-      <string>Do not verify SSL peers.</string>
+      <string>Do not verify SSL peers (requires restart)</string>
       <key>Persist</key>
       <integer>1</integer>
       <key>Type</key>

indra/newview/llappviewer.cpp

@@ -1835,7 +1835,7 @@ bool LLAppViewer::initThreads()
 		LLWatchdog::getInstance()->init(watchdog_killer_callback);
 	}
 
-	AICurlInterface::startCurlThread(gSavedSettings.getU32("CurlConcurrentConnections"));
+	AICurlInterface::startCurlThread(gSavedSettings.getU32("CurlConcurrentConnections"), gSavedSettings.getBOOL("NoVerifySSLCert"));
 
 	LLImage::initClass();