github-actions[bot]
commented
9 months ago Thank you for taking the time to improve LibreMetaverse! We will review your contribution shortly.
Closed neil2ball closed 1 week ago
github-actions[bot]
commented
9 months ago Thank you for taking the time to improve LibreMetaverse! We will review your contribution shortly.
neil2ball
commented
9 months ago Update: I tested it on another server that has a public ip address using https (with that little hack to OpenSim's BaseHttpServer that lets me use .pem files). That seems to work with no problem. I think the long-term solution might be to rewrite portions of OpenSim to allow the inclusion of ModSecurity natively.
Yet I'm still not sure why Radegast won't work despite having made the appropriate changes in libremetaverse. When I set DtdProcessing to Parse, nothing happens when try I connect over https, whether on my production server or the test server that works with base radegast.
cinderblocks
commented
1 week ago Should be resolved in f2f5f54a. XmlReader was never parsing XmlReaderSettings.
Further, we should not be parsing DTDs in LLSD-XML. Not part of the LLSD spec and opens up a security hole.
I've been trying to access my ROBUST server using Radegast. I have it behind an Apache reverse proxy to take advantage of https and ModSecurity. Admittedly, this is a big part of the issue as I can access a localhost standalone region with no problems. However, https in OpenSim is a mess on its own. I managed to get it to work and it still refuses to play nice (as well as not benefit from ModSecurity protections), so I abandoned it for the time being. I have no problems accessing my ROBUST server and logging in with Firestorm.
I tracked down the DtdProcessing property in /libremetaverse/tree/master/LibreMetaverse.StructuredData/LLSD/XmlLLSD.cs line 68.
I changed it to Parse. After much wrangling, I managed to compile Radegast with the new LibreMetaverse.StructuredData. That did not work.
I later found https://www.assistmyteam.com/kb/workaround-on-error-for-security-reasons-dtd-is-prohibited-in-this-xml-document/
So I made sure that I was not behind two routers to get to the Internet. Still no dice.
So, let me try to clarify the postition I'm in:
OpenSim requires some minor code changes to replace trying to use .pfx, .p12, or what have you. It's possible to do now since OpenSim uses .net 6. That is really nice. It lets everything load without having to do certificate gymnastics. It will bind to the port and do what it is expected to do. Yet that prevents me from having ModSecurity protections on the ROBUST server since Apache cannot also bind to the port.
I intend to try using a dedicated server to test this configuration in the future for development. This I have not yet done because I'm starting a production environment and wanted something stable to use for now. I will get to it soon. That way I can test Radegast/libremetaverse hopefully without running into the DTD error. I will keep you posted.
So, for now, I'm stuck in this bind with Radegast/libremetaverse. I need this to work because I'm going to write some custom code for a Radegast plugin. Any help is greatly appreciated.