Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55404

Add environment checks for TLS

          Details

          • Type: Task
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 3.2
          • Fix Version/s: 3.2
          • Component/s: Installation
          • Labels:
          • Testing Instructions:
            Hide

            This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue).

            Setup Server

            1. Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work.
            2. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that.
            3. Place the attatched bash script in your home directory (or somewhere that you can write to)
            4. Install sudo - this guide seems OK
            5. Run ./install.sh init - it uses sudo so will prompt for your password
            6. If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error
            7. Try running ./install.sh init again and make sure it says "No packages to install"
            8. Make a PHP file with phpinfo(); and put it in your webroot
            9. Access the PHP script and check that there is no mention of the cURL extension
            10. Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you
            11. Check the info script again, check that you can see the cURL extension

            Testing the different SSL/TLS libraries

            1. Clone the moodle integration branch and put it in your webroot
            2. At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls
            3. Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t"
            4. Go through the Moodle installation procedure but stop when it gets to the environment check
            5. Verify there is no mention of TLS libraries being out of date
            6. Run the install script again: ./install.sh GnuTLS
            7. Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version)
            8. Verify there is no mention of TLS libraries being out of date
            9. Run the install script again: ./install.sh NSS
            10. Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version)
            11. Verify there is no mention of TLS libraries being out of date
            12. Run the install script again: ./install.sh OpenSSL without_tls
            13. Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version)
            14. This time there should be a warning about TLS libraries being out of date
            Show
            This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier I've written a small bash script to automate much of the compiling parts test (attached to this issue). Setup Server Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that. Place the attatched bash script in your home directory (or somewhere that you can write to) Install sudo - this guide seems OK Run ./install.sh init - it uses sudo so will prompt for your password If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error Try running ./install.sh init again and make sure it says "No packages to install" Make a PHP file with phpinfo(); and put it in your webroot Access the PHP script and check that there is no mention of the cURL extension Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you Check the info script again, check that you can see the cURL extension Testing the different SSL/TLS libraries Clone the moodle integration branch and put it in your webroot At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t" Go through the Moodle installation procedure but stop when it gets to the environment check Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh GnuTLS Repeat steps 2-4 (check for "GnuTLS/3.3.8" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh NSS Repeat steps 2-4 (check for "NSS/3.17.2 Basic ECC" under SSL Version) Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh OpenSSL without_tls Repeat steps 2-4 (check for "OpenSSL/0.9.8o" under SSL Version) This time there should be a warning about TLS libraries being out of date
          • Affected Branches:
            MOODLE_32_STABLE
          • Fixed Branches:
            MOODLE_32_STABLE
          • Pull from Repository:
          • Pull Master Branch:
            MDL-55404-master
          • Pull Master Diff URL:
          • Sprint:
            3.2 Sprint 5

            Description

            Several services are starting to drop support for older SSL/TLS implementations (PayPal, for example). So we need to start suggesting that sysadmins upgrade their libraries.

              Gliffy Diagrams

                Attachments

                  Issue Links

                  caused a regression

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56806 Add environment checks for TLS that missed stables in MDL-55404

                  • Critical - Crashes server, loss of data, severe memory leak
                  • Closed

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56306 lib/tests/upgrade_util_test.php failing on travis

                  • Minor - Minor loss of function where workaround is possible
                  • Closed

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-56917 Environment checks for TLS can trigger a false positive

                  • Minor - Minor loss of function where workaround is possible
                  • Closed
                  has a non-specific relationship to

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-54706 Moodle plugin updates fail if proxy is needed (issues with SNI @download.moodle.org)

                  • Major - Major loss of function, incorrect output
                  • Open

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-57262 Re-implement curl TLS check by checking functionality rather than sniffing versions

                  • Minor - Minor loss of function where workaround is possible
                  • Reopened
                  has been marked as being related by

                  Task - A task that needs to be completed. Tasks usually refer to work that must be done outside the product. MDL-55777 Add envcheck for minimum recommended version of libcurl 7.19.4

                  • Minor - Minor loss of function where workaround is possible
                  • Closed
                  will help resolve

                  Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-54770 PayPal enrolment plugin to support required SSLVERSION TLS v1.2 if possible

                  • Major - Major loss of function, incorrect output
                  • Closed

                    Activity

                      People

                      • Votes:
                        1 Vote for this issue
                        Watchers:
                        7 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved:
                          Fix Release Date:
                          5/Dec/16