Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55404

Add environment checks for TLS

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Installation
    • Labels:
    • Testing Instructions:
      Hide

      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue).

      Setup Server

      1. Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work.
      2. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that.
      3. Place the attatched bash script in your home directory (or somewhere that you can write to)
      4. Install sudo - this guide seems OK
      5. Run ./install.sh init - it uses sudo so will prompt for your password
      6. If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error
      7. Try running ./install.sh init again and make sure it says "No packages to install"
      8. Make a PHP file with phpinfo(); and put it in your webroot
      9. Access the PHP script and check that there is no mention of the cURL extension
      10. Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you
      11. Check the info script again, check that you can see the cURL extension

      Testing the different SSL/TLS libraries

      1. Clone the moodle integration branch and put it in your webroot
      2. At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls
      3. Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t"
      4. Go through the Moodle installation procedure but stop when it gets to the environment check
      5. Verify there is no mention of TLS libraries being out of date
      6. Run the install script again: ./install.sh GnuTLS
      7. Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version)
      8. Verify there is no mention of TLS libraries being out of date
      9. Run the install script again: ./install.sh NSS
      10. Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version)
      11. Verify there is no mention of TLS libraries being out of date
      12. Run the install script again: ./install.sh OpenSSL without_tls
      13. Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version)
      14. This time there should be a warning about TLS libraries being out of date
      Show
      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue). Setup Server Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that. Place the attatched bash script in your home directory (or somewhere that you can write to) Install sudo - this guide seems OK Run ./install.sh init - it uses sudo so will prompt for your password If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error Try running ./install.sh init again and make sure it says "No packages to install" Make a PHP file with phpinfo(); and put it in your webroot Access the PHP script and check that there is no mention of the cURL extension Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you Check the info script again, check that you can see the cURL extension Testing the different SSL/TLS libraries Clone the moodle integration branch and put it in your webroot At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t" Go through the Moodle installation procedure but stop when it gets to the environment check Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh GnuTLS Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh NSS Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh OpenSSL without_tls Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version) This time there should be a warning about TLS libraries being out of date
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull Master Branch:
      MDL-55404-master
    • Sprint:
      3.2 Sprint 5

      Description

      Several services are starting to drop support for older SSL/TLS implementations (PayPal, for example). So we need to start suggesting that sysadmins upgrade their libraries.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  1 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    5/Dec/16