Not sure if this is the right place, so forgive me if not.
I was trying to implement LTI sharing (both ends) in my all-new moodle 4.5 installation. This failed just exactly as described in https://moodle.org/mod/forum/discuss.php?d=433995. This is because on my windows, the default ssl config file directory is underneath the PHP installation directory where I certainly do not want to allow access for the IUSR user (which is the one IIS happens to run with).
However, the proposed fix (setting $CFG->opensslcnf) doesn't work as this configuration option is used inconsistently in moodle 4.5.
It works as expected for mnet, as there is the following code there (e.g. mnet/lib.php):
if (!empty($CFG->opensslcnf)) {
//allow specification of openssl.cnf especially for Windows installs
$new_key = openssl_pkey_new(array("config" => $CFG->opensslcnf));
} else {
$new_key = openssl_pkey_new();
}
However, in all other places, $CFG->opensslcnf is not used. For example (mod\lti\upgradelib.php):
$config = array(
"digest_alg" => "sha256",
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$res = openssl_pkey_new($config);
I did not see another solution than patching the core source:
$config = [ "digest_alg" => "sha256",
"private_key_bits" => 2048, "private_key_type" => OPENSSL_KEYTYPE_RSA, ] + (empty($CFG->opensslcnf) ? [] : ["config" => $CFG->opensslcnf]);
I would suggest that all occurences of openssl_pkey_new(), openssl_csr_new(), openssl_csr_sign(), openssl_pkcs12_export() and openssl_pkcs12_create() should be fixed accordingly.
Or is there a better solution I overlooked?
Regards, Christoph
PS: I also tried to set windows global environment OPENSSL_CONF but it did not work and also, I wouldn't want to change the value for all applications running on my host.