Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-36818

Wrong setting for CURLOPT_SSL_VERIFYHOST in CAS

    Details

    • Testing Instructions:
      Hide

      DanP: I do not feel the time required to setup a SSL'd CAS server is necessary here. I could add testing instructions to test CAS without SSL, but it wouldn't be testing anything.

      Therefore i'm going to suggest passing this based on the code and the fact its been applied upstream. If someone from the community has a ssl-enabled CAS setup, it'd be great if we could get them to test it.

      Show
      DanP: I do not feel the time required to setup a SSL'd CAS server is necessary here. I could add testing instructions to test CAS without SSL, but it wouldn't be testing anything. Therefore i'm going to suggest passing this based on the code and the fact its been applied upstream. If someone from the community has a ssl-enabled CAS setup, it'd be great if we could get them to test it.
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_25_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_25_STABLE
    • Pull Master Branch:
      MDL-36818-master

      Description

      S3 repository and CAS client make improper use of CURLOPT_SSL_VERIFYHOST in curl library - they set it to the value of 1 instead of 2.

      From the libcurl documentation:

      > When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the
      > server is the server to which you meant to connect, or the connection fails.
      >
      > Curl considers the server the intended one when the Common Name field or a
      > Subject Alternate Name field in the certificate matches the host name in the
      > URL to which you told Curl to connect.
      >
      > When the value is 1, the certificate must contain a Common Name field, but it
      > doesn't matter what name it says. (This is not ordinarily a useful setting).

      Thanks to Alessandro Ghedini for reporting it.

      The fixes has been sent to upstream developers:
      https://github.com/tpyo/amazon-s3-php-class/pull/36
      https://github.com/Jasig/phpCAS/pull/58

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    11/Nov/13