Error TLS 1.2 on API using Go Daddy Certificate

SilvaFernando commented 1 year ago

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

[X] I have searched the existing issues

Version

10.0.9

Bug description

I'm using GLPI 10.0.9 with SSL Certificate provided by Go Daddy, but on Web Interface I don't have any trouble in access:

But if I try to send an API request I have an error on TLS 1.2: MicrosoftTeams-image (1)

MicrosoftTeams-image (3)

I'm testing using a Let's Encrypt certificate and I don have any problem, I tried activate TLS support using this: https://apache.tutorials24x7.com/blog/how-to-enable-tls-1-2-and-tls-1-3-in-apache-web-server

Do you have some ideas to help me solve this?

Relevant log output

No response

Page URL

https://MyDNS

Steps To reproduce

Just use a Go DAddy certificate on Apache

Your GLPI setup information

Instruções de instalação e configuração

GLPI 10.0.9 ( => /usr/share/glpi)
Installation mode: TARBALL
Current language:pt_BR

Server

 
Operating system: Linux 3bf19f3b9f94 4.18.0-348.20.1.el8_5.x86_64 #1 SMP Thu Mar 10 20:59:28 UTC 2022 x86_64
PHP 8.1.20 fpm-fcgi (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apcu, bz2, calendar, cgi-fcgi, ctype, curl,
    date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd,
    openssl, pcre, pdo_mysql, pdo_sqlite, posix, selinux, session, shmop, snmp, soap, sockets, sodium, sqlite3, standard, sysvmsg,
    sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="20M" safe_mode="" session.save_handler="files"
    upload_max_filesize="20M" 
Software: Apache/2.4.37 (AlmaLinux) ()
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82
Server Software: Percona Server (GPL), Release 22, Revision 7e301439b65
    Server Version: 8.0.30-22
    Server SQL Mode: STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
    Parameters: glpi@db-glpi-10.0.8-Dev/glpi
    Host info: db-glpi-10.0.8-Dev via TCP/IP

PHP version (8.1.20) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (8.0.30) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/lib/glpi/files/_cache has been validated.
The directory could not be created in /etc/glpi.
Write access to /var/lib/glpi/files/_cron has been validated.
Write access to /var/lib/glpi/files/data-documents has been validated.
Write access to /var/lib/glpi/files/_dumps has been validated.
Write access to /var/lib/glpi/files/_graphs has been validated.
Write access to /var/lib/glpi/files/_lock has been validated.
Write access to /var/lib/glpi/files/_pictures has been validated.
Write access to /var/lib/glpi/files/_plugins has been validated.
Write access to /var/lib/glpi/files/_rss has been validated.
Write access to /var/lib/glpi/files/_sessions has been validated.
Write access to /var/lib/glpi/files/_tmp has been validated.
Write access to /var/lib/glpi/files/_uploads has been validated.
For security reasons, SELinux mode should be Enforcing.

Web server root directory configuration seems safe.
Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
The directory could not be created in /usr/share/glpi/marketplace.
Access to timezone database (mysql) is not allowed.

GLPI constants

 
GLPI_ROOT: "/usr/share/glpi"
GLPI_CONFIG_DIR: "/etc/glpi"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: false
GLPI_VAR_DIR: "/var/lib/glpi/files"
GLPI_DOC_DIR: "/var/lib/glpi/files/data-documents"
GLPI_CRON_DIR: "/var/lib/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/lib/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/lib/glpi/files/_graphs"
GLPI_LOCK_DIR: "/var/lib/glpi/files/_lock"
GLPI_PICTURE_DIR: "/var/lib/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/lib/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/lib/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/lib/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/lib/glpi/files/_uploads"
GLPI_CACHE_DIR: "/var/lib/glpi/files/_cache"
GLPI_LOG_DIR: "/var/log/glpi"
GLPI_SYSTEM_CRON: true
GLPI_MARKETPLACE_DIR: "/usr/share/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/files/_locales"
GLPI_INVENTORY_DIR: "/var/lib/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/usr/share/glpi/locales"
GLPI_VERSION: "10.0.9"
GLPI_SCHEMA_VERSION: "10.0.9@77fc44668eaae89b61d95fe606d20d93d66110cd"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2023"

Libraries

 
htmlawed/htmlawed version 1.2.14 in (/usr/share/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/usr/share/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/usr/share/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/usr/share/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/usr/share/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/usr/share/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/usr/share/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/usr/share/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/usr/share/glpi/vendor/sabre/http/lib)
sabre/uri in (/usr/share/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/usr/share/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/usr/share/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/usr/share/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/usr/share/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/usr/share/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/usr/share/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/usr/share/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/usr/share/glpi/vendor/symfony/console)
scssphp/scssphp in (/usr/share/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/usr/share/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/usr/share/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/usr/share/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/usr/share/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/usr/share/glpi/vendor/ramsey/uuid/src)
psr/log in (/usr/share/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/usr/share/glpi/vendor/psr/simple-cache/src)
psr/cache in (/usr/share/glpi/vendor/psr/cache/src)
league/csv in (/usr/share/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/usr/share/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/usr/share/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/usr/share/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/usr/share/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/usr/share/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/usr/share/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/usr/share/glpi/vendor/symfony/cache)
html2text/html2text in (/usr/share/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/usr/share/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/usr/share/glpi/vendor/symfony/dom-crawler)
twig/twig in (/usr/share/glpi/vendor/twig/twig/src)
twig/string-extra in (/usr/share/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/usr/share/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/usr/share/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/usr/share/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/usr/share/glpi/vendor/thenetworg/oauth2-azure/src/Provider)
phpCas version 1.6.1 in (/usr/share/pear)

SQL replicas

 
Not active

Notifications

 
Way of sending emails: PHP

Plugins list

 
    formcreator          Name: Form Creator                   Version: 2.14.0-dev State: Installed / not activated               
        Install Method: Manual

Anything else?

No response

keguira commented 1 year ago

I don't think it's a GLPI error.

Certificate validation and TLS handshake are on client side.

On windows, chromium based browsers uses windows keystore. Keys are stored at different levels (user, machine, etc..) and maintained automatically with updates.

On Windows 10, GoDaddy is in the User CA Store (i can see it with the command certutil -Silent -Split -User -Store CA) just like Let's Encrypt.

It seems that you are using Postman : the issue is on Postman side and how it handles TLS 1.2 handshake. Here is a solution from their community forum : https://community.postman.com/t/how-to-add-tls-1-2-version-in-postman/1670

SilvaFernando commented 1 year ago

Hi @keguira.

I've tried to send this request using curl and it does not work too:

Can we solve this, by altering the Apache config?

BR. Fernando Dias da Silva

keguira commented 1 year ago

Yes AND no.

I don't konw what you did with you apache config, which versions of TLS protocol you activated but you can modify it in apache to correspond you security needs. In curl, you can also specify which TLS version you want to use .

Here, it's firstly a matter of "security". Decide what you need to activate in your apache config then call your endpoints with your clients (curl, postman, an other app, whatever). Just don't open old unsafe protocols because you cannot do you tests.

usefull ref :

And this ticket should be closed as it's not an GLPI issue

github-actions[bot] commented 1 year ago

This issue has been closed as we only track bugs here.

You can get community support on forums or you can consider taking a subscription to get professional support. You can also contact GLPI editor team directly.

glpi-project / glpi