@mattab opened this Issue on December 5th 2010 Member

For update checks, add a config file setting allowing connection to https://api.piwik.org

We have booked the SSL certificate for api.piwik.org.

To do:

  • sysadmin configuration of the SSL on api.piwik.org
  • add a config file setting, similar to force_ssl_login that would force ssl connection to the host: force_ssl_update_check
@robocoder commented on December 5th 2010 Contributor

The second part should probably be to override api_service_url (which is already defined in global.ini.php.

@robocoder commented on December 5th 2010 Contributor

Piwik_Http supports http over curl, stream (allow_url_fopen=On), and sockets.

However, for https, we have some inconsistency in behaviour:

  • curl - supports https, but verifies the host and peer, by default (i.e., CURLOPT_SSL_VERIFYHOST => 2, CURLOPT_SSL_VERIFYPEER => true)
  • stream - supports https, but does not verify the peer
  • sockets - no support for https

I recommend the SSL option only be offered if Piwik_Http::getTransportMethod() == 'curl'.

@robocoder commented on December 5th 2010 Contributor

Hmm... just noticed that my php 5.2.13 build for Windows doesn't have any CA's configured, so it's failing on the Feedburner stats.

@robocoder commented on December 5th 2010 Contributor

Replying to vipsoft:

Hmm... just noticed that my php 5.2.13 build for Windows doesn't have any CA's configured, so it's failing on the Feedburner stats.

Correction: doesn't have the latest CAs.

The workaround would be to download the CA certs from http://curl.haxx.se/docs/caextract.html, and add a curl opt:

    CURLOPT_CAINFO => PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem',

Not sure how we could detect this at runtime.

@robocoder commented on January 13th 2011 Contributor

(In [3725]) refs #1867 - add curl support for local cacert.pem, if available

@mattab commented on May 31st 2012 Member

As part of this ticket, the download of latest.zip should also happen over HTTPs

  • The update functionality needs a digital signature check.
  • Only valid downloads should be unpackable and installable.
  • All communication with the Piwik.org server should be over SSL
@mattab commented on August 16th 2012 Member

Note: https://api.piwik.org now work!

as well as https://demo.piwik.org https://piwik.org and others :)

@mattab commented on December 14th 2012 Member

To be done after: #728 which will help test the change.

Add a FAQ explaining how to change to https://api.piwik.org in config file.

@mattab commented on January 13th 2014 Member

https://api.piwik.org can be set in the config file

This Issue was closed on January 13th 2014
Powered by GitHub Issue Mirror