When I upgrade moodle to 3.2, The server environment check have a problem, How can I solve this problem?Thanks!
Try doing what it says...upgrade your TLS libraries on your server.
The problem is I donn't know how to upgrade TLS libraries. server system is centos7, php version is 7.0.11. moodle version is 3.2 
The second problem then is that support is provided here for Moodle; not servers 
In all seriousness though, this is a server issue therefore best to ask your host if they can update, or if you have full access to your server, hit Google for how to do it such as perhaps: http://www.ehowstuff.com/how-to-install-and-update-openssl-on-centos-6-centos-7/
While Just is correct ... Moodle forum vs Operating System forum ... in order to run Moodle on anything that's declared to be compatible, some extra pointers might be needed from time to time. Thus this response falls into that category ...
RH and thus CentOS are traditionally a little conservative when it comes to latest/greatest.
Take a gander at this RH info (CentOS 7 is based on RHEL7).:
It might provide some interesting reading on the state of SSL for others on other systems as well.
And would also advise checking with provider but, at the same time, you might have to investigate using https://ius.io/ as the source/repo for PHP 7.
'spirit of sharing', Ken
CentOS 7 does offer the following:
gnutls.x86_64 : A TLS protocol implementation
mod_nss.x86_64 : SSL/TLS module for the Apache HTTP server
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
Any of those can be installed via yum from default repos.
yum install [package]
'spirit of sharing', Ken
Hi,
I just updated 3 Moodles from 3.1 to 3.2 today. Everything went smoothly except I got the same check in the server environment for all three. They were all on the same server. As I updated, I looked at the others that were not updated and none had the check. As I upgraded the check appeared each time. I tried php 5.6, 7.0, and 7.1 and all gave the same check. I am using MariaDB 10.1.19
Cacloud support gave me this message:
Hello Mark,
I have confirmed tls 1.2 is enabled in the server and curl is already
enabled for all php versions. I am still unable to find the reason for
this error. The status is shown as "Check" for curl with tls 1.2. I
would recommend to check in moodle forums for solutions.
Regards,
Jake Dougrey | Tier3 Technical Support
Please let me know if you find a solution.
Mark Iannone
Guessing it's Linux, but what distro?
Have a CentOS 6.highest currently with https 3.0.highest of Moodle and doing environment checks for 3.2 and beyond does not report that hickup. Server has gnutls installed.
'spirit of sharing', Ken
I just did a fresh install of 3.2 on my MAMP system and got the same warning that others have received. I don't recall this happening with the "dev" versions of 3.2. So something is slightly different. I too looked around a little but couldn't figure out how to get rid of this warning, yet.
On my same MAMP install with Moodle 3.1, I don't even see this ssl/tls configuration check being performed. This seems to be something new.
I did see a good chuck of discussion about this on MDL-55404. Maybe Dan P. can jump in and help us out. I see in MDL-55404 that there was a desire to document this.
I just upgraded another Moodle from 3.1 to 3.2. I checked the server environment while in 3.1 and it showed all green lights- as Ken found earlier. As soon as I upgraded, there were two new tables to compress, and the yellow warning:
No PHP/cURL extension with TLSv1.2 support has been detected. Some
services may not work. It is strongly recommended to upgrade your TLS
libraries.
It seems the 3.2 version is picker than the 3.1 version.
Mark, on my MAMP where I get the warning, there seems to be no negative consequence. But I still wonder what is going on. I am sure we will be learning more about this new issue soon. I look at "curl" in my php info webpage, and I can't see anything wrong. So I am not sure where I can detect what is missing. Nor can I figure out how to do what the warning message suggests.
Think there is a little confusion here ... the check does mysql and php checks then goes to 'custom checks' looking for supported versions of utilities/supports that Moodle would use ... curl being one of them.
There's a difference in MAMP (and other locally installed apps like that) in that MAMP provides all supports needed.
On a Mac - what comes natively with a Mac:
Kens-MacBook-Pro:~ ktask$ curl -V
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: ... ftps ... http https ... imaps ... ldaps ... pop3s ... smbs ... smtps ...
In /Applications/MAMP/Library/bin
Kens-MacBook-Pro:bin ktask$ ./curl -V
curl 7.28.1 (x86_64-apple-darwin10.8.0) libcurl/7.28.1 OpenSSL/0.9.8} zlib/1.2.8 libidn/1.17
One can see that the curl that comes as port of MAMP is actually older than the curl that's with the OS but it's still a version that Moodle check won't complain about.
This is one of those areas where running a local (MAMP/XAMP or whatever) *isn't* the same as what a server runs.
On a true server: CentOS release 6.8 (Final)
Moodle 3.1.highest
Environment Check
Does not report the TLS library issue.
The environment.xml file ... at the very bottom has:
<CUSTOM_CHECK file="lib/upgradelib.php" function="check_libcurl_version" level="optional">
<FEEDBACK>
<ON_CHECK message="libcurlwarning" />
</FEEDBACK>
</CUSTOM_CHECK>
the lib/upgradelib.php file ... at the very bottom:
/**
* Check if recommended version of libcurl is installed or not.
*
* @param environment_results $result object to update, if relevant.
* @return environment_results|null updated results or null.
*/
function check_libcurl_version(environment_results $result) {
// Supported version and version number.
$supportedversion = 0x071304;
$supportedversionstring = "7.19.4";
// Installed version.
$curlinfo = curl_version();
$currentversion = $curlinfo['version_number'];
if ($currentversion < $supportedversion) {
// Test fail.
// Set info, we want to let user know how to resolve the problem.
$result->setInfo('Libcurl version check');
$result->setNeededVersion($supportedversionstring);
$result->setCurrentVersion($curlinfo['version']);
$result->setStatus(false);
return $result;
}
return null;
}
In the enviroment.xml file of a 3.2 there is an additional check.
Towards the bottom where the other checks reside:
<CUSTOM_CHECK file="lib/upgradelib.php" function="check_tls_libraries" level="optional">
<FEEDBACK>
<ON_CHECK message="tlswarning" />
</FEEDBACK>
</CUSTOM_CHECK>
<CUSTOM_CHECK file="lib/upgradelib.php" function="check_libcurl_version" level="optional">
<FEEDBACK>
<ON_CHECK message="libcurlwarning" />
</FEEDBACK>
</CUSTOM_CHECK>
On can see there are two separate checks ... a TLS and a LibCurl
> curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: .... https ... scp sftp
Think the issue has to do with what protocols curl can use ... openssl/SSL/https stuff having issues recently it appears that many are now using TLS.
On a local host MAMP/other similar type designed to install easy and run locally ... not shared on the network, etc. by default, it installs using http:// ... no SSL nor TLS certificate required or used.
Basically, until the OS or OS as provided by provider gets updated libraries then Moodle will 'complain' ... but it's not a 'show stopper' - is it? Should one be concerned ... uhhh, yes, but this isn't like a zero day flaw ... I don't think.
Am not a security expert ... just sharing what I've 'dug out' and offered 2 cent opinion. Would be nice if a true Moodle.org security expert would shed some light. ;)
'spirit of sharing', Ken
I'm following this post as I just moved an upgraded version on MAMP to the production server and received the notice on the production site. (Moodle 3.2+ and php 7.0.14)
Additionally, we are also current on the libraries (courtesy of our host company-I can never thank them enough):
root@host [~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
root@host [~]# rpm -qa|grep ^openssl
openssl-devel-1.0.1e-60.el7.x86_64
openssl-libs-1.0.1e-60.el7.x86_64
openssl-1.0.1e-60.el7.x86_64
--
I also verified that latest cURL provided by CentOS is installed.
--
root@host [~]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
--
Along with the PHP module.
--
root@host [~]# scl enable ea-php54 'php -m"|grep curl
> ^C
root@host [~]# scl enable ea-php54 'php -m'|grep curl
curl
root@host [~]# scl enable ea-php55 'php -m'|grep curl
curl
root@host [~]# scl enable ea-php56 'php -m'|grep curl
curl
root@host [~]# scl enable ea-php70 'php -m'|grep curl
curl
root@host [~]# scl enable ea-php71 'php -m'|grep curl
curl
--
Hi William,
that's strange, since SCL should take care of enabling TLS v1.2 support in your PHPs even if your curl version is below the official v7.34.0: RedHat and the packagers have already backported TLS v1.2 being considered as a security issue.
I'm used to use Remi as the main repo for PHP (even as SCL) and I discovered the same issue when 3.2 was under development and opened MDL-56917.
A particular commit from Remi's repo will show you how PHP should evaluate, at compile time, when enabling TLS v1.2 support and when RedHat backported TLS v1.2 support: https://github.com/remicollet/remirepo/commit/87954ef9ca41#diff-2ae890d713e67410cedb4762717b3effR10.
If you'll look at the details in the tracker issue above you'll see how to check about the TLS v1.2 support in your envs by connecting to https://tlstest.paypal.com/.
BTW, Moodle HQ is working on this issue in a new tracker item: MDL-57262.
HTH,
Matteo
Matteo,
Thanks for the info. It's all a bit above my knowledge base so I'm simply stuck following the tracker. It doesn't effect anything on our end (e.g., we don't use PayPal plugin) and it's probably too much work to bother our host with for something that is a known bug at the moment. I'm glad though that I'm not the only one surprised or experiencing the issue- it's good to have friends in the same boat
Hi William,
I take your point but I'm using Moodle 3.2 under CentOS 7 (binary compatible w/ RedHat 7) and PHP 7.0.14 from Remi's repo successfully, even using PHP via Remi's SCL (https://blog.remirepo.net/post/2015/03/25/PHP-7.0-as-Software-Collection) so I'm wondering why the server hosting your instance has issues after MDL-56917 landed into the main stream (it happened before the shipment of 3.2).
I'll try different combinations as yours i.e. using SCL from CentOS/RedHat: I'm keen to contribute on solving this issue ;).
Could you tell me the exact PHP version used by your Moodle? Look for that info in http://your_hostname/admin/phpinfo.php.
TIA,
Matteo
PHP Version 7.0.14
Hi, I worked on these checks. The warning is not critical, however as it says, some things will not work unless you have up to date SSL/TLS libraries. This is beyond our control as some services (e.g., PayPal) are starting to drop support for anything older than TLS 1.2
I'm sorry to hear that you're having trouble upgrading your SSL/TLS libraries. I found https://docs.moodle.org/32/en/admin/environment/php_extension/curl in our user docs, but it isn't very detailed. So I'm updating it with instructions on how to get the latest SSL/TLS stuff on your server.
Cheers.
Hi Folks,
I did manage to upgrade my Open SSL which fixed the problem. I followed the procedure found in the link below almost exactly. How to Install and Update OpenSSL on CentOS 6 / CentOS 7.
The only difference was cd openssl-1-1.0.2a needed to be cd openssl-1-1.0.2j
http://www.ehowstuff.com/how-to-install-and-update-openssl-on-centos-6-centos-7/
Regards,Mark
Thanks for the info Mark,
Those directions worked for me also on my Centos 7 box with PHP7. As you noted, only had to change the "a" to "j" to get it to work.
Glad to hear you got it sorted.
I have updated our user docs, but they seem to be stuck waiting for approval...
Docs should be up to date now. Cheers.
Hi Cameron,
Is this check just checking for the OpenSSL version to change? I believe we are getting false positives on Red Hat/CentOS, as bug and vulnerability fixes are backported and the build number changes, but not the OpenSSL version itself. The OpenSSL version in RHEL/CentOS remains the same as the version it's shipped with, but changes are being put in, as can be seen by the RPM change log in the package.
Simply running openssl version will not tell you which build number you're on, but if you run yum list installed | grep openssl you can see which build is installed (listed after the version of openssl). If you run rpm -q --changelog openssl | less you can see what issues have been addressed.
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60
- fix CVE-2016-2177 - possible integer overflow
- fix CVE-2016-2178 - non-constant time DSA operations
- fix CVE-2016-2179 - further DoS issues in DTLS
- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()
- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue
- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()
- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check
- fix CVE-2016-6304 - unbound memory growth with OCSP status request
- fix CVE-2016-6306 - certificate message OOB reads
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
112 bit effective strength
* Tue Jun 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-58
- replace expired testing certificates
* Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-57
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
* Thu Apr 07 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-56
- fix 1-byte memory leak in pkcs12 parse (#1312112)
- document some options of the speed command (#1312110)
- fix high-precision timestamps in timestamping authority
- enable SCTP support in DTLS
- use correct digest when exporting keying material in TLS1.2 (#1289620)
- fix CVE-2016-0799 - memory issues in BIO_printf
- add support for setting Kerberos service and keytab in
s_server and s_client
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-55
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
Hi Jon,
Yup, you're right. We have an issue in progress to deal with this: https://tracker.moodle.org/browse/MDL-57262