MNET with OpenSSL 3

MNET with OpenSSL 3

Patrick Lemaire發表於
Number of replies: 12
Particularly helpful Moodlers的相片 Testers的相片
Hi,
This summer is the period of platform updates for many of us. I had to change server (Debian 12 Bookworm) in which the version of OpenSSL integrated is v3(.0.9 for me).
However, on platforms running Moodle 4.1.4 with MNET, the connection no longer works, displaying an 'opensslsealerror' message.

I've done some research and it seems that OpenSSL v3 no longer uses the RC4 encryption algorithm. I've tried changing the OpenSSL configuration (by adding legacy providers) but it still doesn't work. I've looked to see if there's a way to downgrade but it seems not.
Surprisingly, a Moodle 3.9 platform on the same server did not encounter the problem!

I'm still using PHP7.4 at the moment but I don't know if moving to PHP8.0 would improve things.

Has anyone found a solution?

RC4 seems obsolete (see MDL-73518) but not supported with recent server distributions.

Thanks for any help,
Patrick

評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Patrick Lemaire發表於
Particularly helpful Moodlers的相片 Testers的相片
There is a related bug mentioned here : https://github.com/nextcloud/server/issues/32003
The workaround didn't work for me 😥

Here is a screenshot from the error when I use MNET (in "Manage peers" and try to display "Services" from one peer) :

評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Patrick Lemaire發表於
Particularly helpful Moodlers的相片 Testers的相片
Hi,
No new leads and people are coming back from hollidays so I'll have to find an alternative.
LTI seemed the fastest solution, but the context in which MNET was used made it almost unavoidable.

If you find yourself in this situation, don't hesitate to write to us here. I'll feel less alone 😔

Patrick
評比平均分數:Useful (1)
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Olivier Beytrison發表於
Hi Patrick,

We ran in the same issue on our new platforms running Ubuntu 22.04 LTS. RC4 is disabled by default.

But applying the change in the link you posted and restarting php-fpm solved the issue.

Be sure to change that in system openssl.cnf file. you can refer to "php --info | grep -i openssl" to find it.

At least thanks for pointing that out. solved our issue ;)
評比平均分數: -
In reply to Olivier Beytrison

Re: MNET with OpenSSL 3

Patrick Lemaire發表於
Particularly helpful Moodlers的相片 Testers的相片
Great! Happy you find a solution. I'm already glad someone answered me 🥰

I don't use PHP-FPM. I don't know if I should.

# php --info | grep -i openssl
SSL Version => OpenSSL/3.0.9
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 3.0.9 30 May 2023
OpenSSL Header Version => OpenSSL 3.0.9 30 May 2023
Openssl default config => /usr/lib/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
Native OpenSSL support => enabled
And /usr/lib/ssl/openssl.cnf -> /etc/ssl/openssl.cnf

So I have modified the correct configuration file from the start 😢😭


評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Olivier Beytrison發表於
So if you try this command :

echo -ne "test" | openssl rc4-40 -K 7465737473 -nosalt -e -nopad | xxd

you should get "00000000: dd9b 5cb9" as an output.
if RC4 is still disabled you will have the following error :
Error setting cipher RC4-40
80EB180AEA7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC4-40 : 0), Properties ()

can you share your /etc/ssl/openssl.cnf ?
評比平均分數: -
In reply to Olivier Beytrison

Re: MNET with OpenSSL 3

Patrick Lemaire發表於
Particularly helpful Moodlers的相片 Testers的相片 
# echo -ne "test" | openssl rc4-40 -K 7465737473 -nosalt -e -nopad | xxd
00000000: dd9b 5cb9                                ..\.

RC4 seems enable.

See my openssl.cnf in attachment.

With this php script (from https://www.php.net/manual/en/function.openssl-get-cipher-methods.php) :

$ciphers             = openssl_get_cipher_methods();
$ciphers_and_aliases = openssl_get_cipher_methods(true);
$cipher_aliases      = array_diff($ciphers_and_aliases, $ciphers);
$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc2")===FALSE; } );
$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc4")===FALSE; } );
$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"md5")===FALSE; } );*/
$cipher_aliases = array_filter($cipher_aliases,function($c) { return stripos($c,"des")===FALSE; } );
$cipher_aliases = array_filter($cipher_aliases,function($c) { return stripos($c,"rc2")===FALSE; } );
print_r($ciphers);
print_r($cipher_aliases);

I have this result:

Array
(
    [0] => aes-128-cbc
    [1] => aes-128-cbc-hmac-sha1
    [2] => aes-128-cbc-hmac-sha256
    [3] => aes-128-ccm
...
    [120] => id-aes256-GCM
    [121] => id-aes256-wrap
    [122] => id-aes256-wrap-pad
    [123] => id-smime-alg-CMS3DESwrap
    [124] => rc2-40-cbc
    [125] => rc2-64-cbc
    [126] => rc2-cbc
    [127] => rc2-cfb
    [128] => rc2-ecb
    [129] => rc2-ofb
    [130] => rc4
    [131] => rc4-40
    [132] => rc4-hmac-md5
    [133] => seed-cbc
    [134] => seed-cfb
    [135] => seed-ecb
    [136] => seed-ofb
    [137] => sm4-cbc
    [138] => sm4-cfb
    [139] => sm4-ctr
    [140] => sm4-ecb
    [141] => sm4-ofb
)
Array
(
    [36] => aes128
    [37] => aes128-wrap
    [38] => aes192
    [39] => aes192-wrap
    [40] => aes256
    [41] => aes256-wrap
    [69] => aria128
    [70] => aria192
    [71] => aria256
    [72] => bf
    [77] => blowfish
    [99] => camellia128
    [100] => camellia192
    [101] => camellia256
    [102] => cast
    [103] => cast-cbc
    [159] => seed
    [164] => sm4
)

This tells me that RC4 is enabled on the server. No aliases but don't know if this is important.

Big thanks for your support and help.

評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Olivier Beytrison發表於
Your openssl.cnf looks fine.

I've wrote a smal php script which basically is a copy of the mnet/lib.php to test the openssl_seal feature. You can drop it on your server and run it on command line
https://gist.github.com/olivierbeytrison/e4180a39401e00f6b9ccd2c7c1c33cbc

If it works you should get something like that :

-- openssl_seal result --
int(22)
-- symmetric keys --
AQkZVX3ffJqWodBAIUDwfG5jbOvhU9JxJCLX6BYpr5hDWNeWAmsJmImfeIBSMcicymVsLPydHZQsTJmU2lGM6r67I4mhhiXEmueoyH+g1AtNbU/rgZbkfUorJFL129BPgcqqBfwLUdMqal+u/LKFsrx/xGtn/t0skixBaa9/FOd+EiKxcjXF6aONuccNmOMRf5FgY36gZYo0tU7yJttY0RsWbNmBnBV6YM4ROFArIXc6EcQJhHw3qOGnlZvxPFpD8ktsFT6LPikvtxGJ6VpY2wpwv6ClxAwCrBmtepdUg3QzW0Oz6kGk0E3PwotZboO/2VIcOd6gAR2xzK7alitUOA==
-- public key --
object(OpenSSLAsymmetricKey)#1 (0) {
}
-- XML message. Check for CipherValues --
<?xml version="1.0" encoding="iso-8859-1"?>
<encryptedMessage>
    <EncryptedData Id="ED" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#arcfour"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:RetrievalMethod URI="#EK" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
            <ds:KeyName>XMLENC</ds:KeyName>
        </ds:KeyInfo>
        <CipherData>
            <CipherValue>W88RYCyuG7X7OSzI3tbWopng7PndKw==</CipherValue>
        </CipherData>
    </EncryptedData>
    <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:KeyName>SSLKEY</ds:KeyName>
        </ds:KeyInfo>
        <CipherData>
            <CipherValue>AQkZVX3ffJqWodBAIUDwfG5jbOvhU9JxJCLX6BYpr5hDWNeWAmsJmImfeIBSMcicymVsLPydHZQsTJmU2lGM6r67I4mhhiXEmueoyH+g1AtNbU/rgZbkfUorJFL129BPgcqqBfwLUdMqal+u/LKFsrx/xGtn/t0skixBaa9/FOd+EiKxcjXF6aONuccNmOMRf5FgY36gZYo0tU7yJttY0RsWbNmBnBV6YM4ROFArIXc6EcQJhHw3qOGnlZvxPFpD8ktsFT6LPikvtxGJ6VpY2wpwv6ClxAwCrBmtepdUg3QzW0Oz6kGk0E3PwotZboO/2VIcOd6gAR2xzK7alitUOA==</CipherValue>
        </CipherData>
        <ReferenceList>
            <DataReference URI="#ED"/>
        </ReferenceList>
        <CarriedKeyName>XMLENC</CarriedKeyName>
    </EncryptedKey>
    <wwwroot></wwwroot>
評比平均分數: -
In reply to Olivier Beytrison

Re: MNET with OpenSSL 3

Patrick Lemaire發表於
Particularly helpful Moodlers的相片 Testers的相片
Thanks for your help 🥰

I launch the script and had this :
-- openssl_seal result --
int(22)
-- symmetric keys --
LWuL2W3LqasxVhAKaQauJeL7SifYvgN+Bd6N6kqHCKkPqY60ua1BVpPXrDlvuMg4AtuK9vrGDmoSC+d8Y3Zzc6KcE/HzSU7A0eneNGi8FLdny9Og5wSrxIr21v3QNLcrJSUJaHz79rBBak+5FHmPP89rGU5ZyvSJIX5/0JZooKrGcuklaFU7MqITjI/Jdv/XS8cUTzilZAxgjrJF4G5+uBSpjl8SFAW+2ifn6rhHLxjbxCXygDnQSe8LYgwNb5WcpglyDF+jdsn6gssN+TCfG34vn036o2DqNNBI0OmYNPaE9Dzsh3NZ1gj4EDTT+rRNZV9rTfKPGbcZgGasMumcHA==
-- public key --
resource(4) of type (OpenSSL key)
-- XML message. Check for CipherValues --
<?xml version="1.0" encoding="iso-8859-1"?>
<encryptedMessage>
    <EncryptedData Id="ED" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#arcfour"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:RetrievalMethod URI="#EK" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
            <ds:KeyName>XMLENC</ds:KeyName>
        </ds:KeyInfo>
        <CipherData>
            <CipherValue>j/wiryi3Exu+zIHPy98zD6IWhII74w==</CipherValue>
        </CipherData>
    </EncryptedData>
    <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:KeyName>SSLKEY</ds:KeyName>
        </ds:KeyInfo>
        <CipherData>
            <CipherValue>LWuL2W3LqasxVhAKaQauJeL7SifYvgN+Bd6N6kqHCKkPqY60ua1BVpPXrDlvuMg4AtuK9vrGDmoSC+d8Y3Zzc6KcE/HzSU7A0eneNGi8FLdny9Og5wSrxIr21v3QNLcrJSUJaHz79rBBak+5FHmPP89rGU5ZyvSJIX5/0JZooKrGcuklaFU7MqITjI/Jdv/XS8cUTzilZAxgjrJF4G5+uBSpjl8SFAW+2ifn6rhHLxjbxCXygDnQSe8LYgwNb5WcpglyDF+jdsn6gssN+TCfG34vn036o2DqNNBI0OmYNPaE9Dzsh3NZ1gj4EDTT+rRNZV9rTfKPGbcZgGasMumcHA==</CipherValue>
        </CipherData>
        <ReferenceList>
            <DataReference URI="#ED"/>
        </ReferenceList>
        <CarriedKeyName>XMLENC</CarriedKeyName>
    </EncryptedKey>
    <wwwroot></wwwroot>

It sounds like everything is good?

Even if the Cipher values are not exactly the same.

評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

Olivier Beytrison發表於
Well yes it seems everything works fine on your installation.

So you should be able to test the MNet communication. Don't forget to correctly "subscribe" on the function on both IdP and SP side of remote sites.
評比平均分數: -
In reply to Patrick Lemaire

Re: MNET with OpenSSL 3

jen mosca發表於
Anybody knows who to solve the issue "OpenSSL unable to seal data"?
We have Moodle 4.2 and the issue persists. It’s very frustrating not to know how to enable this service.

We are running Ubuntu 22.04 with Digitalocean.
Any suggestions or someone who already have a clue for this.

Thanks
評比平均分數: -
In reply to jen mosca

Re: MNET with OpenSSL 3

Olivier Beytrison發表於
Well the answer is in the previous messages. But in short :

Edit /etc/ssl/openssl.cnf

Find the following section :

# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1

And change it that way :

# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
activate = 1

[legacy_sect]
activate = 1

Then restart apache2 or php-fpm, and try again.

You can also test the script I posted in my previous message to test if your php installation can seal a message with RC4

HTH

Olivier

評比平均分數:Useful (1)