Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56806

Add environment checks for TLS that missed stables in MDL-55404

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 2.7.16, 2.9.8, 3.0.6, 3.1.2
    • Fix Version/s: None
    • Labels:
    • Testing Instructions:
      Hide

      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier Cameron has written a small bash script to automate much of the compiling parts test (attached to this issue).

      PLEASE NOTE: This issue has unusual affected branches. Please double check the fix version field above. But most likely you will be testing on 3.1, 3.0, 2.9 and 2.7 (notably no need to test 3.2 or 2.8)

      Setup Server

      1. Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work.
      2. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that.
      3. Place the attatched bash script in your home directory (or somewhere that you can write to)
      4. Install sudo - this guide seems OK
      5. Run ./install.sh init - it uses sudo so will prompt for your password
      6. If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error
      7. Try running ./install.sh init again and make sure it says "No packages to install"
      8. Make a PHP file with phpinfo(); and put it in your webroot
      9. Access the PHP script and check that there is no mention of the cURL extension
      10. Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you
      11. Check the info script again, check that you can see the cURL extension

      Testing the different SSL/TLS libraries

      1. Clone the moodle integration branch and put it in your webroot
      2. Go through the Moodle installation procedure. Stop on the environment check page, and make sure there is no warning about TLS
      3. Run the install script again: ./install.sh OpenSSL without_tls
      4. Refresh phpinfo, check for "OpenSSL/0.9.8o" under SSL Version
      5. Refresh the enviornment check page
      6. Finish installing moodle, then go to Site administration > Server > Environment and select 3.2 as the version from the dropdown
      7. At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls
      8. Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t"
      9. Verify there is no mention of TLS libraries being out of date
      10. Run the install script again: ./install.sh GnuTLS
      11. Refresh the page and check for "GnuTLS/3.3.8" under SSL Version
      12. Verify there is no mention of TLS libraries being out of date
      13. Run the install script again: ./install.sh NSS
      14. Refresh the page and check for "NSS/3.17.2 Basic ECC" under SSL Version
      15. Verify there is no mention of TLS libraries being out of date
      16. Run the install script again: ./install.sh OpenSSL without_tls
      17. Refresh the page and check for "OpenSSL/0.9.8o" under SSL Version
      18. This time there should be a warning about TLS libraries being out of date

      No Curl Environment test Error

      (difficulty: moderate, requires a virtual/docker environment)

      1. Install Moodle 3.2 on a CentOS (RHEL 7) with PHP 7.0.x support from Remi (https://blog.remirepo.net/post/2016/02/14/Install-PHP-7-on-CentOS-RHEL-Fedora, read also the Dockerfile in the Description).
      2. Check Site administration > Server > Environment: no warning about TLS v1.2 should appear.
      3. Select the 3.2 version requirements from the dropdown
      4. Make sure there is still no error

      Curl Test

      1. Start installing Moodle on the system without curl PHP extension. (e.g. sudo apt-get autoremove php5.6-curl )
      2. After accepting license agreement
      3. Confirm you can see "Server checks" page (/admin/index.php?cache=0&lang=en&agreelicense=1). Page must not be blank or contain messages about PHP errors.
      4. Confirm you see the table row with the following cells: "php_extension", "curl" "must be installed and enabled".
      5. Confirm you see "cURL PHP extension is not installed" message in "Other checks" table.
      Show
      This is a somewhat complicated test that involves using the PHP/cURL extension against libssl which has to be compiled against different SSL/TLS libraries. To make this easier Cameron has written a small bash script to automate much of the compiling parts test (attached to this issue). PLEASE NOTE: This issue has unusual affected branches. Please double check the fix version field above. But most likely you will be testing on 3.1, 3.0, 2.9 and 2.7 (notably no need to test 3.2 or 2.8) Setup Server Create a virtual machine using this Debian ISO. It must be this one otherwise the bash script won't work. Set up your webserver stack (make sure you use Apache and PHP from apt-get though). However don't install the PHP/cURL extension. We're going to compile that. Place the attatched bash script in your home directory (or somewhere that you can write to) Install sudo - this guide seems OK Run ./install.sh init - it uses sudo so will prompt for your password If it worked it should have downloaded some sources and installed a few packages. If something goes wrong it should produce some sort of error Try running ./install.sh init again and make sure it says "No packages to install" Make a PHP file with phpinfo(); and put it in your webroot Access the PHP script and check that there is no mention of the cURL extension Run ./install.sh OpenSSL - it should compile the PHP/cURL extension, put it in the right place, and restart Apache for you Check the info script again, check that you can see the cURL extension Testing the different SSL/TLS libraries Clone the moodle integration branch and put it in your webroot Go through the Moodle installation procedure. Stop on the environment check page, and make sure there is no warning about TLS Run the install script again: ./install.sh OpenSSL without_tls Refresh phpinfo, check for "OpenSSL/0.9.8o" under SSL Version Refresh the enviornment check page Finish installing moodle, then go to Site administration > Server > Environment and select 3.2 as the version from the dropdown At your virtual machine's terminal, run the install script: ./install.sh OpenSSL with_tls Check the info PHP file made earlier and ensure under "curl" you see that the SSL Version is "OpenSSL/1.0.1t" Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh GnuTLS Refresh the page and check for "GnuTLS/3.3.8" under SSL Version Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh NSS Refresh the page and check for "NSS/3.17.2 Basic ECC" under SSL Version Verify there is no mention of TLS libraries being out of date Run the install script again: ./install.sh OpenSSL without_tls Refresh the page and check for "OpenSSL/0.9.8o" under SSL Version This time there should be a warning about TLS libraries being out of date No Curl Environment test Error (difficulty: moderate, requires a virtual/docker environment) Install Moodle 3.2 on a CentOS (RHEL 7) with PHP 7.0.x support from Remi ( https://blog.remirepo.net/post/2016/02/14/Install-PHP-7-on-CentOS-RHEL-Fedora , read also the Dockerfile in the Description ). Check Site administration > Server > Environment : no warning about TLS v1.2 should appear. Select the 3.2 version requirements from the dropdown Make sure there is still no error Curl Test Start installing Moodle on the system without curl PHP extension. (e.g. sudo apt-get autoremove php5.6-curl ) After accepting license agreement Confirm you can see "Server checks" page (/admin/index.php?cache=0&lang=en&agreelicense=1). Page must not be blank or contain messages about PHP errors. Confirm you see the table row with the following cells: "php_extension", "curl" "must be installed and enabled". Confirm you see "cURL PHP extension is not installed" message in "Other checks" table.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
    • Pull from Repository:

      Description

      While looking to MDL-55777, it was detected that MDL-55404 had not been backported to supported versions, so "in-advance" checking (of 3.2 requirements, from older versions) is not consistent with "current version" checking. And that breaks the "rule of thumb" with environment.xml:

      "environment.xml must be the same where possible so both in-advance checks (when in 2.7 you're looking for 2.9 env requirements) and current-version checks (when, on upgrade you're looking for the version about to be installed) result MUST MATCH"

      Note it's possible to have some exception about that rule, if the old versions are missing some stuff enabling the check to happen (for example, in 2.7 we cannot check in-advance for unoconv, it simply did not exist there). But when possible, the rule above must be applied always.

      So this is about to backport MDL-55404 to supported (normal and security) versions in order to observe the rule above and provide consistent "in-advance" checks.

      Ciao

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              johno John Okely
              Reporter:
              stronk7 Eloy Lafuente (stronk7)
              Peer reviewer:
              cameron1729
              Integrator:
              Dan Poltawski
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: