A recommendation following a recent pen test was to disable TLSv1.0 and use either TLSv1.1 or TLSv1.2 instead.
I actioned this successfully in our test environment, but now reporting fails.
I initially thought this may be down to using an old browser not capable of using 1.1 or 1.2 but I have ruled this out now.
From my understanding, in general the version of TLS used is usually what is specified by the server, or the highest version the app will support.
I changed the SSLProtocol support in the SSL.conf file from
SSLProtocol all -SSLv2
and checked in nmap to confirm that TLSv1.0 was blocked, and it was, allowing only TLSv1.1 & 1.2
With this in mind, it looks as though Matomo/Piwik is only able to use TLSv1.0
Is this correct, or am I missing something?
Hi, I am not entirely sure what you mean.
Matomo is a PHP application, so it only generates the HTML that will be returned to the user. TLS, etc. are then done by your webserver. So Matomo does neither support nor not support TLS >=1.1.
What exactly doesn't work for you when you only allow TLS 1.1 and 1.2?
As @Findus23 already said, there is no way that Matomo will not work with any SSL version als long as the PHP version that Matomo runs, is build with an OpenSSL version that supports that SSL version (and this part is only needed for some things like cURL, most SSL things are handled by the webserver).
Disabling TLS 1.0 means losing tracking from older browsers that don't support TLS 1.1 and higher.
Also, in some cases, the browser supports the newer TLS but it isn't enabled by default.
And if I'm not mistaken
SSLProtocol TLSv1.2 disables TLS 1.1 as well, so your nmap result is suspicious. If you have a proxy in front of your web server, you might want to check that.
As long as your PHP curl is new enough to support it, it should not matter which TLS version you are using.