[MDL-18183] XMLRPC in MNET does not verify SSL peers by default - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.9.4, 2.8.1
Fix Version/s: 2.9
Component/s: MNet
Labels:
- ci
- triaged
- ui_change

Affected Branches:
MOODLE_19_STABLE, MOODLE_28_STABLE
Fixed Branches:
MOODLE_29_STABLE
Pull from Repository:
git://github.com/FMCorz/moodle.git
Pull Master Branch:
~~MDL-18183~~-master
Pull Master Diff URL:
https://github.com/FMCorz/moodle/compare/ca0e301...MDL-18183-master
Testing Instructions:
Hide

Before upgrade

Set up MNet authentication with an HTTPS Moodle (Named X hereafter)

Prepare some HTTPS certificate for X so that you have

One that can be host validated, i.e. issued for the domain used (Cert A)

One that CANNOT be host validated, i.e. issued for a totally different domain (Cert B)

Upgrade

Go to edit your peer and make sure that the field SSL verification is set to None.

Set X to use the Cert B

Confirm you can still login using MNet

Set SSL verification to "Verify host only"

Confirm you cannot login using MNet

Set SSL verification to "Verify host and peer

Confirm you cannot login using MNet

Set X to use the Cert A

Set SSL verification to "None"

Confirm that you can login

Set SSL verification to "Verify host only"

Confirm you can login using MNet

Set SSL verification to "Verify host and peer

Confirm you cannot login using MNet
Show
Before upgrade Set up MNet authentication with an HTTPS Moodle (Named X hereafter) Prepare some HTTPS certificate for X so that you have One that can be host validated, i.e. issued for the domain used (Cert A) One that CANNOT be host validated, i.e. issued for a totally different domain (Cert B) Upgrade Go to edit your peer and make sure that the field SSL verification is set to None . Set X to use the Cert B Confirm you can still login using MNet Set SSL verification to "Verify host only" Confirm you cannot login using MNet Set SSL verification to "Verify host and peer Confirm you cannot login using MNet Set X to use the Cert A Set SSL verification to "None" Confirm that you can login Set SSL verification to "Verify host only" Confirm you can login using MNet Set SSL verification to "Verify host and peer Confirm you cannot login using MNet

Sprint:
BACKEND Sprint 19
Issue size:
Small

Description

In mnet/xmlrpc/client.php the settings for the curl call include the two settings....

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

This allows it to work with self-signed certificates if the other end of the connection is running https across the whole site. This is fine, but it should perhaps be an option as this potentially reduces security by, effectively, accepting any certificate.

We had the oposite end of this discussion in Mahara where the decision was to enable this with an option in config.php. With Moodle having these, there is a potential regression of course.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-18183-master.mdk.patch
11 kB
18/Nov/14 2:28 AM

Issue Links

will be (partly) resolved by

MDL-40905 META: Evolve MNet into a standards-based system

Closed

will help resolve

MDL-21259 Low hanging fruit - simple feature requests

Closed

Activity

People

Assignee:: Frédéric Massart

Reporter:: Howard Miller

Peer reviewer:: John Okely

Integrator:: Sam Hemelryk

Tester:: Rajesh Taneja

Participants:: Andrew Lyons, CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Frédéric Massart, Helen Foster, Howard Miller, John Okely, Marina Glancy, Mark Nelson, Mary Cooch, Michael de Raadt, Penny Leach, Rajesh Taneja, Sam Hemelryk

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 10/Feb/09 4:45 AM

Updated:: 19/Jun/15 8:05 AM

Resolved:: 06/Dec/14 4:07 AM

Fix Release Date:: 11/May/15