World Community Grid - View Thread - Completed work unit uploads failing due to use of outdated/insecure server CA certificate

World Community Grid Forums

Category: Completed Research

Forum: The Clean Energy Project - Phase 2 Forum

Thread: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

Quick Go »

No member browsing this thread

Thread Status: Active
Total posts in this thread: 6

[ ]

Author

This topic has been viewed 1481 times and has 5 replies

TimSmall
Cruncher
Joined: Apr 14, 2009
Post Count: 7
Status: Offline
Project Badges:

14 day badge for Human Proteome Folding - Phase 2

14 day badge for Nutritious Rice for the World

14 day badge for Help Fight Childhood Cancer

14 day badge for The Clean Energy Project - Phase 2

1 year badge for FightAIDS@Home - Phase 2

14 day badge for Microbiome Immunity Project

180 day badge for Africa Rainfall Project

1 year badge for OpenPandemics - COVID-19


Completed work unit uploads failing due to use of outdated/insecure server CA certificate

Hello,

Just a heads-up that work unit uploads are failing on some setups (and this will likely grow in future, as more installations deprecate these older insecure certificates).

Not sure if this is the best place to report this, but it needs to go to the WCG web server admins...

Reason is that WCG uses https for uploads, however the CA (certificate authority) that has signed the upload server certificate uses a weak 1024 bit RSA key. Mozilla (which is the source for the CA certificate list on my boinc version, and many others) stopped trusting these older keys more than a year ago, and these changes are slowly being rolled out to client machines:

https://blog.mozilla.org/security/2015/01/28/...s-with-1024-bit-rsa-keys/

boinc on my platform uses the mozilla key bundle (amongst others), and other platforms and builds are taking the same policy over time.

debug output showing weak key below:


$ openssl s_client -CApath /etc/ssl/certs/ -connect 

cleanenergy.worldcommunitygrid.org:443 -prexit
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=International Business Machines Corporation/CN=cleanenergy.worldcommunitygrid.org
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

Boinc debug output:

Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  Connected to cleanenergy.worldcommunitygrid.org (140.247.231.147) port 443 (#36)
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  successfully set certificate verify locations:
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:    CAfile: ca-bundle.crt
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:    CApath: /etc/ssl/certs
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  SSLv3, TLS handshake, Client hello (1):
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  SSLv3, TLS handshake, Server hello (2):
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  SSLv3, TLS handshake, CERT (11):
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  SSLv3, TLS alert, Server hello (2):
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  SSL certificate problem: unable to get local issuer certificate
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info:  Closing connection 36
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] [ID#19] Info:  SSLv3, TLS handshake, Server hello (2):
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] [ID#19] Info:  SSLv3, TLS handshake, CERT (11):
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] [ID#19] Info:  SSLv3, TLS alert, Server hello (2):
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] [ID#19] Info:  SSL certificate problem: self signed certificate in certificate chain
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] [ID#19] Info:  Closing connection 37
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [file_xfer] http op done; retval -184 (transient HTTP error)
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [file_xfer] http op done; retval -184 (transient HTTP error)
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | [file_xfer] file transfer status -184 (transient HTTP error)
Mon 01 Feb 2016 09:34:17 GMT | World Community Grid | Temporarily failed upload of E235903_443_S.222.C24H14S4.QKYRRCCUWVSYGT-UHFFFAOYSA-N.10_s1_14_0_r76355055_4: transient HTTP error

[Feb 1, 2016 10:11:02 AM]

TimSmall
Cruncher
Joined: Apr 14, 2009
Post Count: 7
Status: Offline
Project Badges:


Re: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

FWIW, as a workaround it's possible to make boinc (only) trust the deprecated Thawte CA by placing/adding the contents of the file:

https://www.thawte.com/roots/thawte_Premium_Server_CA.pem

in a file called "ca-bundle.crt" in the boinc work directory...

It's not really the right fix tho', and the World Community Grid server admins need to get some new server certificates issued and installed...

Cheers,

Tim.

[Feb 1, 2016 10:23:45 AM]

SekeRob
Master Cruncher
Joined: Jan 7, 2013
Post Count: 2741
Status: Offline


Re: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

You're not the first developing peer certificate issues https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38798 though this now seems to focus on the Clean Energy server connection.

[Feb 1, 2016 10:26:38 AM]

TimSmall
Cruncher
Joined: Apr 14, 2009
Post Count: 7
Status: Offline
Project Badges:


Re: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

Actually, it's more subtle that I thought - whilst the workaround will still works for the reasons given, the server SSL cert is in better shape than it appears, because one of the intermediate CAs in the trust chain is a 2048 bit RSA key, and is also in the Mozilla trusted CA list.

The problem is that the OpenSSL library version 1.0.1k on Debian 8 (and other Linux distros) ignores this intermediate "alternative verification path", and insists on checking the deepest CA path only.

Debian 9 uses 1.0.2f openssl which is more flexible in its checking behaviour, and so verifies the server cert successfully.

Other BOINC client setups which both use older openssl libraries, and have also removed the older weak key will also show the same failures.

[Feb 1, 2016 10:37:53 PM]

Tern
Cruncher
Joined: Nov 27, 2015
Post Count: 15
Status: Offline
Project Badges:

10 year badge for Mapping Cancer Markers

90 day badge for Uncovering Genome Mysteries

1 year badge for Outsmart Ebola Together

1 year badge for Microbiome Immunity Project

5 year badge for Africa Rainfall Project

5 year badge for OpenPandemics - COVID-19


Re: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

The .crt file either finally worked (after not working yesterday - maybe hosts rebooted? Dunno.) or something changed, both my 'hung' hosts finally got through to Harvard this afternoon. The error message, visible in Firefox, doesn't match the error given above in this thread. I get:

140.247.231.147 uses an invalid security certificate. The certificate is only valid for cleanenergy.worldcommunitygrid.org (Error code: ssl_error_bad_cert_domain)

Problem solved - for me, for now - but this obviously still needs to be addressed, or many more folks will start having the problem soon. Thanks for all who contributed to the workaround.

[Feb 3, 2016 2:14:30 AM]

knreed
Former World Community Grid Tech
Joined: Nov 8, 2004
Post Count: 4504
Status: Offline
Project Badges:

180 day badge for Human Proteome Folding

90 day badge for Human Proteome Folding - Phase 2

45 day badge for Help Cure Muscular Dystrophy - Phase 2

90 day badge for Computing for Clean Water

14 day badge for Uncovering Genome Mysteries

45 day badge for Outsmart Ebola Together

180 day badge for FightAIDS@Home - Phase 2

1 year badge for Africa Rainfall Project

180 day badge for OpenPandemics - COVID-19


Re: Completed work unit uploads failing due to use of outdated/insecure server CA certificate

Since the two servers that host the uploads to cleanenergy.worldcommunitygrid.org are run by Harvard, they have a separate certificate. It is indeed signed with SHA-1.

We are working to get a new certificate installed that is signed with SHA-2. It will then be the same type of installation configured as described in: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38805

We hope to have this in place within the next week.

[Feb 4, 2016 4:32:05 PM]

[ ]