Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57704

Don't force SSLv3 in LTI provider

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Note: Two sites are required for testing this issue.
      1. LTI consumer
      2. LTI provider.
      Enable LTI provider on course and activity
      1. Login as administrator.
      2. Follow Site administration ► Security ► HTTP security and enable 'Allow frame embedding'.
      3. Follow Site administration ► Plugins ► Authentication ► Manage authentication' and enable 'LTI' authentication.
      4. Follow Site administration ► Plugins ► Enrolments ► Manage enrol plugins and enable 'Publish as LTI tool'.
      5. Log out and log in as teacher.
      6. Visit a course with at least 1 activity (assignment) and 1 resource (file).
      7. Follow Course administration ► Users ► Enrolment methods.
      8. Add a Publish as LTI tool with 'Tool to be published' selected to course.
      9. Add a Publish as LTI tool with 'Tool to be published' selected to assignment
      10. Add a Publish as LTI tool with 'Tool to be published' selected to file.
      11. Follow Course administration ► Publish as LTI tool.
      12. Make note of all 3 URLs and secrets.
      On your LTI consumer site.
      1. Visit a course.
      2. Add 3 'External Tool' activities and use the following from your LTI provider site.
        • URL as 'Launch/Cartridge URL'.
        • Secret as 'Shared secret'.
        • Set 'Consumer key' as 'moodle'
      3. Log in as a student.
      4. Visit the course and click on each LTI activity.
      5. Verify 'External Tool' activity links to course display course.
      6. Verify 'External Tool' activity links to assignment display assignment.
      7. Verify 'External Tool' activity links to file display file.
      Proxy test
      1. Copy proxy url from published course in LTI provider site
      2. On a consumer site go to Site administration ► Plugins ► External tool ► Manage tools
      3. Paste the url you copied into the box, but don't click add
      4. Change the token part of the url to something else such as "ASDF123"
      5. Click add
      6. Make sure that there is an error displayed
      7. Click cancel
      8. Paste the URL and this time click add with the correct token
      9. Click continue
      10. Click save
      11. The tool should successfully be added.
      12. Go to a course
      13. Add an external tool
      14. Select the type as the tool you just added
      15. Save and display
      16. Verify it works as expected and you log into LTI provider site correctly
      Show
      Note: Two sites are required for testing this issue. LTI consumer LTI provider. Enable LTI provider on course and activity Login as administrator. Follow Site administration ► Security ► HTTP security and enable 'Allow frame embedding'. Follow Site administration ► Plugins ► Authentication ► Manage authentication' and enable 'LTI' authentication. Follow Site administration ► Plugins ► Enrolments ► Manage enrol plugins and enable 'Publish as LTI tool'. Log out and log in as teacher. Visit a course with at least 1 activity (assignment) and 1 resource (file). Follow Course administration ► Users ► Enrolment methods. Add a Publish as LTI tool with 'Tool to be published' selected to course. Add a Publish as LTI tool with 'Tool to be published' selected to assignment Add a Publish as LTI tool with 'Tool to be published' selected to file. Follow Course administration ► Publish as LTI tool. Make note of all 3 URLs and secrets. On your LTI consumer site. Visit a course. Add 3 'External Tool' activities and use the following from your LTI provider site. URL as 'Launch/Cartridge URL'. Secret as 'Shared secret'. Set 'Consumer key' as 'moodle' Log in as a student. Visit the course and click on each LTI activity. Verify 'External Tool' activity links to course display course. Verify 'External Tool' activity links to assignment display assignment. Verify 'External Tool' activity links to file display file. Proxy test Copy proxy url from published course in LTI provider site On a consumer site go to Site administration ► Plugins ► External tool ► Manage tools Paste the url you copied into the box, but don't click add Change the token part of the url to something else such as "ASDF123" Click add Make sure that there is an error displayed Click cancel Paste the URL and this time click add with the correct token Click continue Click save The tool should successfully be added. Go to a course Add an external tool Select the type as the tool you just added Save and display Verify it works as expected and you log into LTI provider site correctly
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-57704-master

      Description

      In the LTI provider library we are using, only SSLv3 is used. We need to use TLS instead.

      This is a 3.2 regression because in 3.1 we hacked the library to use our curl wrapper instead (AFAIK)

      This has been fixed upstream. https://github.com/IMSGlobal/LTI-Tool-Provider-Library-PHP/pull/13 So we can either wait for a release or hotfix it ourselves

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              johno John Okely
              Reporter:
              johno John Okely
              Peer reviewer:
              Jun Pataleta
              Integrator:
              Andrew Nicols
              Tester:
              cameron1729
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                8/May/17