Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55404

Add environment checks for TLS

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Installation
    • Labels:
    • Testing Instructions:
      Hide

      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue).

      Setup Server

      1. Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work.
      2. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that.
      3. Place the attatched bash script in your home directory (or somewhere that you can write to)
      4. Install sudo - this guide seems OK
      5. Run ./install.sh init - it uses sudo so will prompt for your password
      6. If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error
      7. Try running ./install.sh init again and make sure it says "No packages to install"
      8. Make a PHP file with phpinfo(); and put it in your webroot
      9. Access the PHP script and check that there is no mention of the cURL extension
      10. Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you
      11. Check the info script again, check that you can see the cURL extension

      Testing the different SSL/TLS libraries

      1. Clone the moodle integration branch and put it in your webroot
      2. At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls
      3. Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t"
      4. Go through the Moodle installation procedure but stop when it gets to the environment check
      5. Verify there is no mention of TLS libraries being out of date
      6. Run the install script again: ./install.sh GnuTLS
      7. Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version)
      8. Verify there is no mention of TLS libraries being out of date
      9. Run the install script again: ./install.sh NSS
      10. Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version)
      11. Verify there is no mention of TLS libraries being out of date
      12. Run the install script again: ./install.sh OpenSSL without_tls
      13. Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version)
      14. This time there should be a warning about TLS libraries being out of date
      Show
      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue). Setup Server Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that. Place the attatched bash script in your home directory (or somewhere that you can write to) Install sudo - this guide seems OK Run ./install.sh init - it uses sudo so will prompt for your password If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error Try running ./install.sh init again and make sure it says "No packages to install" Make a PHP file with phpinfo(); and put it in your webroot Access the PHP script and check that there is no mention of the cURL extension Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you Check the info script again, check that you can see the cURL extension Testing the different SSL/TLS libraries Clone the moodle integration branch and put it in your webroot At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t" Go through the Moodle installation procedure but stop when it gets to the environment check Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh GnuTLS Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh NSS Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh OpenSSL without_tls Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version) This time there should be a warning about TLS libraries being out of date
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55404-master
    • Pull Master Diff URL:
    • Sprint:
      3.2 Sprint 5

      Description

      Several services are starting to drop support for older SSL/TLS implementations (PayPal, for example). So we need to start suggesting that sysadmins upgrade their libraries.

        Attachments

          Issue Links

          caused a regression

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56806 Add environment checks for TLS that missed stables in MDL-55404

          • Critical - Crashes server, loss of data, severe memory leak
          • Closed

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56306 lib/tests/upgrade_util_test.php failing on travis

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56917 Environment checks for TLS can trigger a false positive

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has a non-specific relationship to

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-54706 Moodle plugin updates fail if proxy is needed (issues with SNI @download.moodle.org)

          • Major - Major loss of function, incorrect output
          • Open

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-57262 Re-implement curl TLS check by checking functionality rather than sniffing versions

          • Minor - Minor loss of function where workaround is possible
          • Reopened
          has been marked as being related by

          Task - A task that needs to be completed. Tasks usually refer to work that must be done outside the product. MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4

          • Minor - Minor loss of function where workaround is possible
          • Closed
          will help resolve

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-54770 PayPal enrolment plugin to support required SSLVERSION TLS v1.2 if possible

          • Major - Major loss of function, incorrect output
          • Closed

            Activity

              People

              Assignee:
              cameron1729 cameron1729
              Reporter:
              cameron1729 cameron1729
              Peer reviewer:
              Simey Lameze
              Integrator:
              Dan Poltawski
              Tester:
              Rajesh Taneja
              Participants:
              Component watchers:
              Matteo Scaramuccia, Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                5/Dec/16