Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-18183

XMLRPC in MNET does not verify SSL peers by default

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.4, 2.8.1
    • Fix Version/s: 2.9
    • Component/s: MNet
    • Labels:
    • Testing Instructions:
      Hide

      Before upgrade

      1. Set up MNet authentication with an HTTPS Moodle (Named X hereafter)
      2. Prepare some HTTPS certificate for X so that you have
        • One that can be host validated, i.e. issued for the domain used (Cert A)
        • One that CANNOT be host validated, i.e. issued for a totally different domain (Cert B)

      Upgrade

      1. Go to edit your peer and make sure that the field SSL verification is set to None.
      2. Set X to use the Cert B
      3. Confirm you can still login using MNet
      4. Set SSL verification to "Verify host only"
      5. Confirm you cannot login using MNet
      6. Set SSL verification to "Verify host and peer
      7. Confirm you cannot login using MNet
      8. Set X to use the Cert A
      9. Set SSL verification to "None"
      10. Confirm that you can login
      11. Set SSL verification to "Verify host only"
      12. Confirm you can login using MNet
      13. Set SSL verification to "Verify host and peer
      14. Confirm you cannot login using MNet
      Show
      Before upgrade Set up MNet authentication with an HTTPS Moodle (Named X hereafter) Prepare some HTTPS certificate for X so that you have One that can be host validated, i.e. issued for the domain used (Cert A) One that CANNOT be host validated, i.e. issued for a totally different domain (Cert B) Upgrade Go to edit your peer and make sure that the field SSL verification is set to None . Set X to use the Cert B Confirm you can still login using MNet Set SSL verification to "Verify host only" Confirm you cannot login using MNet Set SSL verification to "Verify host and peer Confirm you cannot login using MNet Set X to use the Cert A Set SSL verification to "None" Confirm that you can login Set SSL verification to "Verify host only" Confirm you can login using MNet Set SSL verification to "Verify host and peer Confirm you cannot login using MNet
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-18183-master
    • Sprint:
      BACKEND Sprint 19
    • Issue size:
      Small

      Description

      In mnet/xmlrpc/client.php the settings for the curl call include the two settings....

      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

      This allows it to work with self-signed certificates if the other end of the connection is running https across the whole site. This is fine, but it should perhaps be an option as this potentially reduces security by, effectively, accepting any certificate.

      We had the oposite end of this discussion in Mahara where the decision was to enable this with an option in config.php. With Moodle having these, there is a potential regression of course.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/May/15