Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Piwik.org SSL configuration issues #7598

Closed
mnapoli opened this issue Mar 31, 2015 · 4 comments
Closed

Piwik.org SSL configuration issues #7598

mnapoli opened this issue Mar 31, 2015 · 4 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. c: Website matomo.org For issues related to our matomo.org website. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Backlog (Help wan...

Comments

@mnapoli
Copy link
Contributor

mnapoli commented Mar 31, 2015

I'm opening this issue of behalf of @bolera, per his reports in #7576

the builds.piwik.org server doesn't want to "talk" to us I think the issue can easily be solved by reconfiguring the server without changing any code in Piwik.

Explanation

However, I still think that your server is configured incorrectly.
Today I looked thru the curl bug tracker and found an option to enforce TLS1 in connection with that unspecified SSL error. Et voila, adding that option makes the connection work:
curl -o piwik.latest.tar.gz https://builds.piwik.org/piwik-latest.tar.gz -k -vvvv --tlsv1
Remove the --tlsv1 at the end and it fails. All other servers I tried and which also have SSL2 and SSL3 disabled (as yours) do not fail.
It seems it simply does not reply to an SSL2/non-TLS client hello, not even to tell "use TLS". Remember, so far it seems that builds.piwik.org is the only one that creates this error with curl.

Look at the differences (I removed the asterisks as the Markdown interprets them wrongly):

connect to a working server: SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2):
connect to builds.piwik.org without --tlsv1: SSLv2, Client hello (1): -> fails, apparently with no server response
connect to builds.piwik.org with --tlsv1: SSLv3, TLS handshake, Client hello (1): SSLv3, TLS handshake, Server hello (2):
So, seems to me that builds.piwik.org should enforce TLS connections, but instead either doesn't reply or replies with a "no".
@mnapoli mnapoli mentioned this issue Mar 31, 2015
Closed
@bolera
Copy link

bolera commented Apr 1, 2015

Thanks to both of you!

@mattab mattab mentioned this issue Apr 7, 2015
Closed
@mattab mattab added Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. c: Website matomo.org For issues related to our matomo.org website. labels Apr 8, 2015
@mattab mattab added this to the Mid term milestone Apr 8, 2015
@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. labels Apr 8, 2015
@mattab
Copy link
Member

mattab commented Apr 8, 2015

Note: there was also this issue created by a third party researcher to describe some ways the SSL configuration could be improved: isvsecwatch/httpstracker#22 - piwik.org hosting team will definitely make improvements there but this will take a few months.

@pilere
Copy link

pilere commented Apr 15, 2015

Hi, does this explain why the oneclick update process fail now ?
image

@Globulopolis
Copy link
Contributor

@pilere yes, but it's not a piwik problem. You should update cacert.pem for you cUrl. Download the file http://curl.haxx.se/ca/cacert.pem and place somewhere. When in php.ini add

[cURL]
curl.cainfo = "path_to\cacert.pem"

And reload apache.

@sgiehl sgiehl mentioned this issue Jun 29, 2015
Closed
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab mattab closed this as completed Feb 14, 2017
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Feb 14, 2017
@Findus23 Findus23 mentioned this issue Feb 23, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. c: Website matomo.org For issues related to our matomo.org website. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
5 participants
@mattab @mnapoli @Globulopolis @pilere @bolera