Paul wrote: ↑
Wed Dec 04, 2019 7:13 am
To be honest, I still don't think it is something on our end, as then a lot more reports would be coming in
Certainly hard to picture what the technical issue would be at phpbb.com's end, if not something like a blacklist.
Something like a blacklist would potentially be consistent with "why aren't a bunch of people reporting this", since we don't know how lucky you needed to be for your IP address to actually be in this list, or whom else is even on it.
Understood regarding how it's separate servers, and could be something that is only employed on systems serving Tatiana. My premise was more from the perspective of "if it had been in response to a previous abuse or denial of service", it wouldn't be hard to picture that the mitigation against it would have been implemented at a point that protected the entire site, rather than just one piece of the site.
But since this board's communication to phpbb.com through /phpbb/version_helper.php is working (for checking phpBB's own version), and since this board's communication to non-phpbb.com hosts (like David's version server) though /phpbb/version_helper.php is working for checking an extension's version, it's also hard to point to evidence that there is something amiss at this phpBB board's end, too.
hurghanico wrote: ↑
Wed Dec 04, 2019 12:22 pm
I wonder if the TLS 1.2 and HTTP/1.1 not detected (if not a false positive) reported by the paypal donation extension could be also the cause of the other problem faced here..
Certainly the kind of observation to consider whether it relates to the root cause. The reasons I would say the evidence doesn't support this being related are: The /phpbb/file_downloader.php class that /phpbb/version_helper.php uses to retrieve the actual version JSON data is writing its own simple HTTP 1.0 request, regardless of what HTTP version or support exists elsewhere.
But a moot point for the current investigation, since we can see in your entire list of extensions
that none of them are set to attempt SSL for the version check. i.e. All of them were passing "int(80)" as the port number to /phpbb/file_downloader.php. So there is no HTTPS / SSL / TLS involved, or even requested.
(In fact, as I look at the /phpbb/file_downloader.php code's SSL support, it makes me wonder whether an extension requesting SSL for it's version-check data would even work at this point. With actual SSL becoming deprecated by more hosts and services, ostensibly we need to be attempting TLS 1.1+ negotiation instead. But /php/file_downloader.php hasn't been updated on that point, and probably needs its own bug on this.)
edit: I tested the point regarding an extension requesting SSL for the version check, and at least on PHP 7.2.24 we apparently "get TLS 1.2 for free" in response to specifying the "ssl://" transport prefix. i.e. A LAN trace of the phpBB board's outbound communication confirms TLS 1.2 negotiation.
I was picturing that we could be in a situation like https://tracker.phpbb.com/browse/PHPBB3-15961
for /includes/functions_messenger.php, where allowing latest TLS versions had to be explicitly introduced. But it turns out that case is unique to explicit TLS (STARTTLS), and not the implicit TLS case where "ssl://" or "tls://" initiates negotiation at the very start of the TCP connection. So "no bug."