Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reporting is failing when TLSv1.0 is disabled although TLSv1.1 & 1.2 is enabled on server #12751

Closed
julianarnott opened this issue Apr 20, 2018 · 4 comments
Labels
worksforme The issue cannot be reproduced and things work as intended.

Comments

@julianarnott
Copy link

A recommendation following a recent pen test was to disable TLSv1.0 and use either TLSv1.1 or TLSv1.2 instead.
I actioned this successfully in our test environment, but now reporting fails.
I initially thought this may be down to using an old browser not capable of using 1.1 or 1.2 but I have ruled this out now.
From my understanding, in general the version of TLS used is usually what is specified by the server, or the highest version the app will support.
I changed the SSLProtocol support in the SSL.conf file from
SSLProtocol all -SSLv2
to
SSLProtocol TLSv1.2
and checked in nmap to confirm that TLSv1.0 was blocked, and it was, allowing only TLSv1.1 & 1.2
With this in mind, it looks as though Matomo/Piwik is only able to use TLSv1.0
Is this correct, or am I missing something?
Many thanks,

Julian

@Findus23
Copy link
Member

Hi, I am not entirely sure what you mean.

Matomo is a PHP application, so it only generates the HTML that will be returned to the user. TLS, etc. are then done by your webserver. So Matomo does neither support nor not support TLS >=1.1.

What exactly doesn't work for you when you only allow TLS 1.1 and 1.2?

@fdellwing
Copy link
Contributor

As @Findus23 already said, there is no way that Matomo will not work with any SSL version als long as the PHP version that Matomo runs, is build with an OpenSSL version that supports that SSL version (and this part is only needed for some things like cURL, most SSL things are handled by the webserver).

@robocoder
Copy link
Contributor

Disabling TLS 1.0 means losing tracking from older browsers that don't support TLS 1.1 and higher.

https://caniuse.com/#feat=tls1-1
https://caniuse.com/#feat=tls1-2

Also, in some cases, the browser supports the newer TLS but it isn't enabled by default.

And if I'm not mistaken SSLProtocol TLSv1.2 disables TLS 1.1 as well, so your nmap result is suspicious. If you have a proxy in front of your web server, you might want to check that.

@Findus23
Copy link
Member

As long as your PHP curl is new enough to support it, it should not matter which TLS version you are using.

@Findus23 Findus23 added the worksforme The issue cannot be reproduced and things work as intended. label May 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Development

No branches or pull requests

4 participants