Mahara

MNet contains superfluous SSL cert checks

Bug #888436 reported by François Marier
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
François Marier
Mahara 1.5.0

Bug Description

MNet in Mahara has these curl options set:

  CURLOPT_SSL_VERIFYHOST = 2
  CURLOPT_SSL_VERIFYPEER = true

whereas Moodle has:

  CURLOPT_SSL_VERIFYHOST = 0
  CURLOPT_SSL_VERIFYPEER = false

Since we are already using public key crypto to authenticate and encrypt communications between sites, I think we can remove this superfluous check which incidentally prevents people from using self-signed SSL certs to protect their sites.

Tags: mnet
Revision history for this message
François Marier (fmarier) wrote :

https://reviews.mahara.org/838

Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/838
Committed: http://gitorious.org/mahara/mahara/commit/cd47920eedcf03ac93e690de407da7044737b683
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit cd47920eedcf03ac93e690de407da7044737b683
Author: Francois Marier <email address hidden>
Date: Thu Nov 10 20:40:18 2011 +1300

    MNet: Remove unnecessary SSL certificate checks (bug #888436)

    These CA checks prevent the use of self-signed certificates with
    MNet despite the fact that we wrap everything inside public key
    crypto.

    This change makes the Mahara implementation match the way that this
    is done in Moodle.

    Change-Id: Ia190cd4d40da5e7a5acf3c0fe2104f80c6df9f78
    Signed-off-by: Francois Marier <email address hidden>

François Marier (fmarier)
Changed in mahara:
status: In Progress → Fix Committed
Melissa Draper (melissa)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.