Moodle

Public key generating won't work if the site name is too long (> 64 characters)

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.8.6, 1.9.2
  • Fix Version/s: 1.9.8, 2.0
  • Component/s: MNet
  • Labels:
    None
  • Affected Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE

Description

Our site has a lovely name "Reppu: Lahden ammattikorkeakoulun tiedotus- ja verkko-opetusympäristö" which is 71 characters (ä and ö make two each!). This doesn't work as the organizationName variable of the Distinguished Name parameter of the function openssl_csr_new().

The obvious workaround is to make the name to be shorter, but as there is no warning about this anywhere it might be hard to spot from a production site that has notices turned off.

Issue Links

This issue will help resolve:
MDL-21260 General open bugs Minor Open
This issue has a non-specific relationship to:
MDL-11020 fix of networking for longer urls ( > 64 characters ) Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Markus Hillig added a comment -

Thank you Samuli, you saved my day! I've had exactly the same problem since I tried to use a long site name, too. I agree that it is absolutely necessary to show some kind of info that the key generation failed because of the long site name (if its impossible to lift this restriction to 64 chars).
Is it possible to assign this bug to someone so that it gets considered for fixing?

Regards, Markus

Show
Markus Hillig added a comment - Thank you Samuli, you saved my day! I've had exactly the same problem since I tried to use a long site name, too. I agree that it is absolutely necessary to show some kind of info that the key generation failed because of the long site name (if its impossible to lift this restriction to 64 chars). Is it possible to assign this bug to someone so that it gets considered for fixing? Regards, Markus
Hide
Permalink
Samuli Karevaara added a comment -

Assigning to Penny Leach.

Show
Samuli Karevaara added a comment - Assigning to Penny Leach.
Hide
Permalink
Penny Leach added a comment -

Hi!

Samuli, I guess you found exactly where in code this is? I am vaguely familiar with mnet but not to this depth so any further info would be great.

Show
Penny Leach added a comment - Hi! Samuli, I guess you found exactly where in code this is? I am vaguely familiar with mnet but not to this depth so any further info would be great.
Hide
Permalink
Samuli Karevaara added a comment -

I had happily forgotten all that I dug earlier. A fresh round of code surfing and googling revealed: in /mnet/lib.php, function mnet_generate_keypair() the OpenSSL function openssl_csr_new() is called at line 333 (1.9 CVS). The first parameter is an array ($dn), it's a distinguished name as specced in RFC 3280. The RFC specifies the organization name field to have a max length of 64. The mnet lib reads the $dn["organizationName"] to be the site full name. Then the OpenSSL function fails if it's more than 64 chars. One possible fix might be to simply read at max 64 chars of the site full name.

I also found some references about that RFC being superseded by RFC 5280 and that maybe changing openssl.conf to up the max might be possible. Making the name to be less than 64 chars would still be a better solution. The $dn will be unique anyway, as it has the URL as one component also.

Show
Samuli Karevaara added a comment - I had happily forgotten all that I dug earlier. A fresh round of code surfing and googling revealed: in /mnet/lib.php, function mnet_generate_keypair() the OpenSSL function openssl_csr_new() is called at line 333 (1.9 CVS). The first parameter is an array ($dn), it's a distinguished name as specced in RFC 3280. The RFC specifies the organization name field to have a max length of 64. The mnet lib reads the $dn["organizationName"] to be the site full name. Then the OpenSSL function fails if it's more than 64 chars. One possible fix might be to simply read at max 64 chars of the site full name. I also found some references about that RFC being superseded by RFC 5280 and that maybe changing openssl.conf to up the max might be possible. Making the name to be less than 64 chars would still be a better solution. The $dn will be unique anyway, as it has the URL as one component also.
Hide
Permalink
Penny Leach added a comment -

I think the best solution is to just substr the dn to 64 chars.

Samuli - what exactly was the output/behaviour when it was breaking? Were you getting any errors or anything ?

Show
Penny Leach added a comment - I think the best solution is to just substr the dn to 64 chars. Samuli - what exactly was the output/behaviour when it was breaking? Were you getting any errors or anything ?
Hide
Permalink
Samuli Karevaara added a comment -

Penny, I'm sorry to say that I don't remember the details anymore. On the production site there was no error message, as it had errors and notices turned off. So a "Moodle warning" about this might be in order. I have to ask someone else to test what errors this gives, as I've been sadly moved quite a bit away from Moodle duties.

Show
Samuli Karevaara added a comment - Penny, I'm sorry to say that I don't remember the details anymore. On the production site there was no error message, as it had errors and notices turned off. So a "Moodle warning" about this might be in order. I have to ask someone else to test what errors this gives, as I've been sadly moved quite a bit away from Moodle duties.
Hide
Permalink
Samuli Karevaara added a comment -

I mean: I have to ask that someone else tests this. At the moment I don't even have anyone that I could ask to do this... (I'm working for Aalto University now, a new university that started 1.1.2010 as The Helsinki School of Economics, Helsinki University of Technology and The University of Art and Design Helsinki merged.)

Show
Samuli Karevaara added a comment - I mean: I have to ask that someone else tests this. At the moment I don't even have anyone that I could ask to do this... (I'm working for Aalto University now, a new university that started 1.1.2010 as The Helsinki School of Economics, Helsinki University of Technology and The University of Art and Design Helsinki merged.)
Hide
Permalink
Penny Leach added a comment -

committed to head & stable. I truncated all the other fields too, to the values in the rfc

http://www.ietf.org/rfc/rfc3280.txt

Show
Penny Leach added a comment - committed to head & stable. I truncated all the other fields too, to the values in the rfc http://www.ietf.org/rfc/rfc3280.txt

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.5#665-sha1:422aead) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.