Moodle
  1. Moodle
  2. MDL-14117

Public key generating won't work if the site name is too long (> 64 characters)

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.6, 1.9.2
    • Fix Version/s: 1.9.8, 2.0
    • Component/s: MNet
    • Labels:
      None
    • Affected Branches:
      MOODLE_18_STABLE, MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE

      Description

      Our site has a lovely name "Reppu: Lahden ammattikorkeakoulun tiedotus- ja verkko-opetusympäristö" which is 71 characters (ä and ö make two each!). This doesn't work as the organizationName variable of the Distinguished Name parameter of the function openssl_csr_new().

      The obvious workaround is to make the name to be shorter, but as there is no warning about this anywhere it might be hard to spot from a production site that has notices turned off.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Markus Hillig added a comment -

            Thank you Samuli, you saved my day! I've had exactly the same problem since I tried to use a long site name, too. I agree that it is absolutely necessary to show some kind of info that the key generation failed because of the long site name (if its impossible to lift this restriction to 64 chars).
            Is it possible to assign this bug to someone so that it gets considered for fixing?

            Regards, Markus

            Show
            Markus Hillig added a comment - Thank you Samuli, you saved my day! I've had exactly the same problem since I tried to use a long site name, too. I agree that it is absolutely necessary to show some kind of info that the key generation failed because of the long site name (if its impossible to lift this restriction to 64 chars). Is it possible to assign this bug to someone so that it gets considered for fixing? Regards, Markus
            Hide
            Samuli Karevaara added a comment -

            Assigning to Penny Leach.

            Show
            Samuli Karevaara added a comment - Assigning to Penny Leach.
            Hide
            Penny Leach added a comment -

            Hi!

            Samuli, I guess you found exactly where in code this is? I am vaguely familiar with mnet but not to this depth so any further info would be great.

            Show
            Penny Leach added a comment - Hi! Samuli, I guess you found exactly where in code this is? I am vaguely familiar with mnet but not to this depth so any further info would be great.
            Hide
            Samuli Karevaara added a comment -

            I had happily forgotten all that I dug earlier. A fresh round of code surfing and googling revealed: in /mnet/lib.php, function mnet_generate_keypair() the OpenSSL function openssl_csr_new() is called at line 333 (1.9 CVS). The first parameter is an array ($dn), it's a distinguished name as specced in RFC 3280. The RFC specifies the organization name field to have a max length of 64. The mnet lib reads the $dn["organizationName"] to be the site full name. Then the OpenSSL function fails if it's more than 64 chars. One possible fix might be to simply read at max 64 chars of the site full name.

            I also found some references about that RFC being superseded by RFC 5280 and that maybe changing openssl.conf to up the max might be possible. Making the name to be less than 64 chars would still be a better solution. The $dn will be unique anyway, as it has the URL as one component also.

            Show
            Samuli Karevaara added a comment - I had happily forgotten all that I dug earlier. A fresh round of code surfing and googling revealed: in /mnet/lib.php, function mnet_generate_keypair() the OpenSSL function openssl_csr_new() is called at line 333 (1.9 CVS). The first parameter is an array ($dn), it's a distinguished name as specced in RFC 3280. The RFC specifies the organization name field to have a max length of 64. The mnet lib reads the $dn ["organizationName"] to be the site full name. Then the OpenSSL function fails if it's more than 64 chars. One possible fix might be to simply read at max 64 chars of the site full name. I also found some references about that RFC being superseded by RFC 5280 and that maybe changing openssl.conf to up the max might be possible. Making the name to be less than 64 chars would still be a better solution. The $dn will be unique anyway, as it has the URL as one component also.
            Hide
            Penny Leach added a comment -

            I think the best solution is to just substr the dn to 64 chars.

            Samuli - what exactly was the output/behaviour when it was breaking? Were you getting any errors or anything ?

            Show
            Penny Leach added a comment - I think the best solution is to just substr the dn to 64 chars. Samuli - what exactly was the output/behaviour when it was breaking? Were you getting any errors or anything ?
            Hide
            Samuli Karevaara added a comment -

            Penny, I'm sorry to say that I don't remember the details anymore. On the production site there was no error message, as it had errors and notices turned off. So a "Moodle warning" about this might be in order. I have to ask someone else to test what errors this gives, as I've been sadly moved quite a bit away from Moodle duties.

            Show
            Samuli Karevaara added a comment - Penny, I'm sorry to say that I don't remember the details anymore. On the production site there was no error message, as it had errors and notices turned off. So a "Moodle warning" about this might be in order. I have to ask someone else to test what errors this gives, as I've been sadly moved quite a bit away from Moodle duties.
            Hide
            Samuli Karevaara added a comment -

            I mean: I have to ask that someone else tests this. At the moment I don't even have anyone that I could ask to do this... (I'm working for Aalto University now, a new university that started 1.1.2010 as The Helsinki School of Economics, Helsinki University of Technology and The University of Art and Design Helsinki merged.)

            Show
            Samuli Karevaara added a comment - I mean: I have to ask that someone else tests this. At the moment I don't even have anyone that I could ask to do this... (I'm working for Aalto University now, a new university that started 1.1.2010 as The Helsinki School of Economics, Helsinki University of Technology and The University of Art and Design Helsinki merged.)
            Hide
            Penny Leach added a comment -

            committed to head & stable. I truncated all the other fields too, to the values in the rfc

            http://www.ietf.org/rfc/rfc3280.txt

            Show
            Penny Leach added a comment - committed to head & stable. I truncated all the other fields too, to the values in the rfc http://www.ietf.org/rfc/rfc3280.txt

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: