[MDL-73518] Switch MNet RC4 method to better alternative, keeping BC - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 4.0
Fix Version/s: None
Component/s: MNet
Labels:
- security_benefit

Affected Branches:
MOODLE_400_STABLE

Description

This was create by ~~MDL-73517~~, when it was detected the we are using RC4 as cypher method for MNet encryption. From the original issue:

2) Create another issue, about to consider moving the "RC4" default to a better one, surely including init vector too.

Note that, in practice... 2) is not critical as far as now all sites run over SSL, hence, data is double encrypted, once by the MNet RC4 implementation, not ideal, and another by the http SSL layer (usually safer).

Also, this needs to be done in a "BC way" so old sites (still using RC4 unconditionally) are able to talk with newer sites using another, better, cypher. That, or explicitly warn that, when this is implemented, older sites won't be able to talk with new ones anymore.

Attachments

Issue Links

Discovered while testing

MDL-73517 openssl_seal() and openssl_open() method param is now required

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Eloy Lafuente (stronk7)

Participants:: Eloy Lafuente (stronk7)

Component watchers:

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 08/Jan/22 2:22 AM

Updated:: 08/Jan/22 2:23 AM