New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure Transport: Weak SSL Protocol in /core/Http.php #19480
Comments
Thanks for spotting this @DHammer-PT, It doesn't seem to have been reported previously. As it appears to be trivial fix and would improve security I've flagged it for a priority review. |
@tsteur are you happy for this to be scheduled as a security improvement? |
Is there any chance of breaking anything? If not, then could do it. If there's a chance then we'd need to look at this and do it in Matomo 5 |
https://www.php.net/manual/en/function.fsockopen.php For what it's worth I did a quick test by modifying |
I don't think the issue is as much of a problem with ssl:// working or not working, but rather that ssl:// is seen as obsolete and tls:// is the modern standard. TLS is the more secure method. |
Do we know if Also no *.matomo.org domain has supported SSL 3.0 in quite a long time, so does that mean the socket method was broken for all Matomo users for a long time now? If so, we should maybe think about removing it (as at least for me using curl feels a lot more reliable than an improvised HTTP client over a raw socket). |
In the file /core/Http.php, there is a protocol issue. Line 386 contains the following:
$connectHost = 'ssl://' . $connectHost;
This is an insecure method and should be changed to:
$connectHost = 'tls://' . $connectHost;
Could this be updated in a future release? I apologize in advance if this has already been reported. I tried digging through the issues to see if it had been reported, but was unable to find a match.
The text was updated successfully, but these errors were encountered: