Thanks for opening the report, Matt. Yes, there are two issues:

• no fallback was offered
• the builds.piwik.org server doesn't want to "talk" to us
  I think the issue can easily be solved by reconfiguring the server without changing any code in Piwik.

There's something set on it that our openssl lib doesn't like. It's at this stage:
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
(working handshake)

The handshake with builds.piwik.org goes like this:
* SSLv2, Client hello (1):
Unknown SSL protocol error in connection to builds.piwik.org:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to builds.piwik.org:443

Note, AFAIK this is not a setting that makes your server more secure. Compare your server with www.qualys.com with their SSL test at https://www.ssllabs.com/ssltest/ Your server gets a B (mine do as well, but my servers are secured against CRIME, yours' are not) while Qualys gets a A-.
But I can easily download via https with curl from qualys.com. So, I think changing that setting would have no effect on security. Just, I don't know what it is.
I'm happy to test against your server with my curl anytime.
Once you have set your servers correctly we can all update automatically and then you could check what went wrong with the http fallback and change code for one of the next releases.
Thanks!

(I removed the "" Markdown as it wrapped all lines in one, how can I make whole paragraphs to show as code?)

@bolera I'm interested to know whether this is showing as an error in the download screen, or if it's a fatal error and you see the "Piwik error" screen. Could you post a screenshot of the error page?

As @mattab said the main concern here is that the screen offering you to update over HTTP didn't show, which leaves you to manual update only.

Also from what I gathered from the forum post you tried setting up Curl certificates but this doesn't change anything right?

(I removed the "" Markdown as it wrapped all lines in one, how can I make whole paragraphs to show as code?)

Have a look here, I can't put the characters in my answer directly because they get interpreted :)

@bolera could you try this patch and let me know if it fixes the problem: 6bce952

Thanks!

I've created a separate ticket regarding Curl certificates: #7580

Thanks. I tested the patch and it works to display the https and the http option. And I patched the new updater file ...
However, I still think that your server is configured incorrectly.
Today I looked thru the curl bug tracker and found an option to enforce TLS1 in connection with that unspecified SSL error. Et voila, adding that option makes the connection work:
curl -o piwik.latest.tar.gz https://builds.piwik.org/piwik-latest.tar.gz -k -vvvv --tlsv1
Remove the --tlsv1 at the end and it fails. All other servers I tried and which also have SSL2 and SSL3 disabled (as yours) do not fail.
It seems it simply does not reply to an SSL2/non-TLS client hello, not even to tell "use TLS". Remember, so far it seems that builds.piwik.org is the only one that creates this error with curl.

Look at the differences (I removed the asterisks as the Markdown interprets them wrongly):

• connect to a working server:
  SSL_v2_, Client hello (1):
  SSLv3, TLS handshake, Server hello (2):
• connect to builds.piwik.org without --tlsv1:
  SSL_v2_, Client hello (1):
  -> fails, apparently with no server response
• connect to builds.piwik.org with --tlsv1:
  SSL_v3, TLS handshake_, Client hello (1):
  SSLv3, TLS handshake, Server hello (2):

So, seems to me that builds.piwik.org should enforce TLS connections, but instead either doesn't reply or replies with a "no".

@bolera sorry the issue was closed by my commit message but maybe those problems with the SSL setup need to be fixed on the server too. I'll reopen the issue.

Another thread with users reporting issues: http://forum.piwik.org/read.php?2,125605

@mattab this forum report is #7580 (i.e. no certificate in curl)

Maybe we should create a new issue for the SSL configuration issues on piwik.org and close this one? (this is getting confusing)

Maybe we should create a new issue for the SSL configuration issues on piwik.org and close this one? (this is getting confusing)

definitely, it's a different issue

OK @bolera I'm moved the issue you are reporting to #7598

I just wanted to add that if you disable SSLv3 with the -1 param works:

$ curl -1 -I https://builds.piwik.org

SSLv3 is disabled on that server.