Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-36818

Wrong setting for CURLOPT_SSL_VERIFYHOST in CAS

XMLWordPrintable

    • MOODLE_19_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_25_STABLE
    • MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_25_STABLE
    • MDL-36818-master
    • Hide

      DanP: I do not feel the time required to setup a SSL'd CAS server is necessary here. I could add testing instructions to test CAS without SSL, but it wouldn't be testing anything.

      Therefore i'm going to suggest passing this based on the code and the fact its been applied upstream. If someone from the community has a ssl-enabled CAS setup, it'd be great if we could get them to test it.

      Show
      DanP: I do not feel the time required to setup a SSL'd CAS server is necessary here. I could add testing instructions to test CAS without SSL, but it wouldn't be testing anything. Therefore i'm going to suggest passing this based on the code and the fact its been applied upstream. If someone from the community has a ssl-enabled CAS setup, it'd be great if we could get them to test it.

      S3 repository and CAS client make improper use of CURLOPT_SSL_VERIFYHOST in curl library - they set it to the value of 1 instead of 2.

      From the libcurl documentation:

      > When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the
      > server is the server to which you meant to connect, or the connection fails.
      >
      > Curl considers the server the intended one when the Common Name field or a
      > Subject Alternate Name field in the certificate matches the host name in the
      > URL to which you told Curl to connect.
      >
      > When the value is 1, the certificate must contain a Common Name field, but it
      > doesn't matter what name it says. (This is not ordinarily a useful setting).

      Thanks to Alessandro Ghedini for reporting it.

      The fixes has been sent to upstream developers:
      https://github.com/tpyo/amazon-s3-php-class/pull/36
      https://github.com/Jasig/phpCAS/pull/58

        1. 0001-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
          1 kB

            poltawski Dan Poltawski
            tmuras Tomasz Muras
            Damyon Wiese Damyon Wiese
            Damyon Wiese Damyon Wiese
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.