Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
  • Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.
   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * PayPal enrolment plugin utility class.
  19   *
  20   * @package    core
  21   * @copyright  2016 Cameron Ball <cameron@cameron1729.xyz>
  22   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23   */
  24  
  25  namespace core\upgrade;
  26  
  27  defined('MOODLE_INTERNAL') || die();
  28  
  29  /**
  30   * Core upgrade utility class.
  31   *
  32   * @package   core
  33   * @copyright 2016 Cameron Ball <cameron@cameron1729.xyz>
  34   * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  35   */
  36  final class util {
  37  
  38      /**
  39       * Gets the minimum version of a SSL/TLS library required for TLS 1.2 support.
  40       *
  41       * @param  string $sslflavour The SSL/TLS library
  42       * @return string|false The version string if it exists. False otherwise
  43       */
  44      private static function get_min_ssl_lib_version_for_tls12($sslflavour) {
  45          // Min versions for TLS 1.2.
  46          $versionmatrix = [
  47              'OpenSSL' => '1.0.1c',
  48              'GnuTLS' => '1.7.1',
  49              'NSS' => '3.15.1', // This number is usually followed by something like "Basic ECC".
  50              'CyaSSL' => '1.1.0',
  51              'wolfSSL' => '1.1.0',
  52              'PolarSSL' => '1.2.0',
  53              'WinSSL' => '*', // Does not specify a version but needs Windows >= 7.
  54              'SecureTransport' => '*' // Does not specify a version but needs iOS >= 5.0 or OS X >= 10.8.0.
  55          ];
  56  
  57          return isset($versionmatrix[$sslflavour]) ? $versionmatrix[$sslflavour] : false;
  58      }
  59  
  60      /**
  61       * Validates PHP/cURL extension for use with SSL/TLS.
  62       *
  63       * @param  array $curlinfo array of cURL information as returned by curl_version()
  64       * @param  int   $zts 0 or 1 as defined by PHP_ZTS
  65       * @return bool
  66       */
  67      public static function validate_php_curl_tls(array $curlinfo, $zts) {
  68          if (empty($curlinfo['ssl_version'])) {
  69              return false;
  70          }
  71  
  72          $flavour = explode('/', $curlinfo['ssl_version'])[0];
  73          // In threadsafe mode the only valid choices are OpenSSL and GnuTLS.
  74          if ($zts === 1 && $flavour != 'OpenSSL' && $flavour !== 'GnuTLS') {
  75              return false;
  76          }
  77  
  78          return true;
  79      }
  80  
  81      /**
  82       * Tests if the system is capable of using TLS 1.2 for requests.
  83       *
  84       * @param  array  $curlinfo array of cURL information as returned by curl_version()
  85       * @param  string $uname server uname
  86       * @return bool
  87       */
  88      public static function can_use_tls12(array $curlinfo, $uname) {
  89          // Do not compare the cURL version, e.g. $curlinfo['version_number'], with v7.34.0 (467456):
  90          // some Linux distros backport security issues and keep lower version numbers.
  91          if (!defined('CURL_SSLVERSION_TLSv1_2')) {
  92              return false;
  93          }
  94  
  95          $sslversion = explode('/', $curlinfo['ssl_version']);
  96          // NSS has a space in the version number 😦.
  97          $flavour = explode(' ', $sslversion[0])[0];
  98          $version = count($sslversion) == 2 ? $sslversion[1] : null;
  99  
 100          $minversion = self::get_min_ssl_lib_version_for_tls12($flavour);
 101          if (!$minversion) {
 102              return false;
 103          }
 104  
 105          // Special case (see $versionmatrix above).
 106          if ($flavour == 'WinSSL') {
 107              return $uname >= '6.1';
 108          }
 109  
 110          // Special case (see $versionmatrix above).
 111          if ($flavour == 'SecureTransport') {
 112              return $uname >= '10.8.0';
 113          }
 114  
 115          return $version >= $minversion;
 116      }
 117  }