Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-11020

fix of networking for longer urls ( > 64 characters )

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.2
    • Fix Version/s: 2.0
    • Component/s: MNet
    • Labels:
      None
    • Database:
      Any
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      There is a problem with the current configuration of networking ( mnet ) in that it uses the CN field as the subject of the certificate. This is a problem for any sites with urls longer than 64 characters ( the limit for such a field ). Creation of certificates will fail and even if created will not pass the subject check. We ( Victor Pulver and myself - Paul Singleton) have fixed a few of the mnet librarys – peer.php and lib.php – to correct this issue.

      1. we changed the host variable to something that makes a little more
      2. clear what it is. We were a little puzzled by the if (strpos($uri, $host) !== false)
      3. in the original code – since they would always have to be equal – and they were backwards.
      4. In the new code we reverse them to the correct order.
        #
      5. Of course the big fix here is that we are allowing for longer urls – the current networking
      6. module will fail on CN with urls > 64 ( which is the max character length of the field.
        #
      7. We have added the subjectAltName to the dn array to use for all urls that are longer than 64 characters
      8. and will be the one used to match the subjects for all new certificates. We left the old CN code in there
      9. so that it will work with older certificates that do not have subjectAltName.
      1. the line numbers will be off but close.
      1. I have also included the new files as attachments

      in /mnet/lib.php

      old code:
      -------------------------------
      77 $host = $credentials['subject']['CN'];
      78 if (strpos($uri, $host) !== false)

      { 79 mnet_set_public_key($uri, $public_certificate); 80 return $public_certificate; 81 }

      82 }
      83 }
      84 return false;
      85 }
      -------------------------------

      new code:
      -------------------------------
      78 $certificate_host_name = $credentials['subject']['CN'];
      79 if (array_key_exists( 'subjectAltName', $credentials['subject']))

      { 80 $certificate_host_name = $credentials['subject']['subjectAltName']; 81 }

      82 if (strpos($certificate_host_name, $uri) !== false) {
      82 if (strpos($certificate_host_name, $uri) !== false)

      { 83 mnet_set_public_key($uri, $public_certificate); 84 return $public_certificate; 85 }

      86 }
      87 }
      88 return false;
      89 }
      -------------------------------

      old code:
      -------------------------------
      306 if (is_null($dn))

      { 307 $dn = array( 308 "countryName" => $country, 309 "stateOrProvinceName" => $province, 310 "localityName" => $locality, 311 "organizationName" => $organization, 312 "organizationalUnitName" => 'Moodle', 313 "commonName" => $CFG->wwwroot, 315 "emailAddress" => $email 316 ); 317 }

      -------------------------------
      new code:

      306 if (is_null($dn))

      { 307 $dn = array( 308 "countryName" => $country, 309 "stateOrProvinceName" => $province, 310 "localityName" => $locality, 311 "organizationName" => $organization, 312 "organizationalUnitName" => 'Moodle', 313 "commonName" => $CFG->wwwroot, 314 "subjectAltName" => "URI:" . $CFG->wwwroot, 315 "emailAddress" => $email 316 ); 317 }

      after:
      -------------------------------
      314 // ensure we remove trailing slashes
      315 $dn["commonName"] = preg_replace(':/$:', '', $dn["commonName"]);

      Add this code
      -------------------------------
      321
      322 // added for longer urls
      323 // check if length of commonName > 64
      324
      325 if ( strlen($dn["commonName"]) > 64 ) {
      326
      327 $parse_url = parse_url($dn["commonName"], PHP_URL_HOST);
      328
      329 $short_name = gethostbyname( $parse_url );
      330
      331 if ( strlen( $short_name ) > 64 )

      { 332 333 $short_name = substr( $parse_url, -64 ); 334 335 }

      336
      337 $dn["commonName"] = $short_name;
      338
      339 }
      340
      -------------------------------

      in peer.php

      old code:
      -------------------------------

      } elseif ($credentials['subject']['CN'] != $this->wwwroot)

      { $a[] = $credentials['subject']['CN']; $a[] = $this->wwwroot; $this->error[] = array('code' => 4, 'text' => get_string("nonmatchingcert", 'mnet', $a)); return false; }

      } else { return $credentials['validTo_time_t']; new code: ------------------------------- } elseif ($credentials['subject']['CN'] != $this->wwwroot) {

      if (array_key_exists( 'subjectAltName', $credentials['subject'])) {

      if ($credentials['subject']['subjectAltName'] != "URI:" . $this->wwwroot) { $a[] = $credentials['subject']['subjectAltName']; $a[] = $this->wwwroot; $this->error[] = array('code' => 4, 'text' => get_string("nonmatchingcert", 'mnet', $a)); return false; } else { return $credentials['validTo_time_t']; }

      } else { $a[] = $credentials['subject']['CN']; $a[] = $this->wwwroot; $this->error[] = array('code' => 4, 'text' => get_string("nonmatchingcert", 'mnet', $a)); return false; }

      } else {
      return $credentials['validTo_time_t'];
      -------------------------------

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              donal@catalyst.net.nz Donal McMullan
              Reporter:
              ito_admin Paul Singleton
              Tester:
              Nobody
              Participants:
              Component watchers:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                24/Nov/10