Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
World Community Grid Forums
Category: Completed Research Forum: The Clean Energy Project - Phase 2 Forum Thread: Completed work unit uploads failing due to use of outdated/insecure server CA certificate |
No member browsing this thread |
Thread Status: Active Total posts in this thread: 6
|
Author |
|
TimSmall
Cruncher Joined: Apr 14, 2009 Post Count: 7 Status: Offline Project Badges: |
Hello,
Just a heads-up that work unit uploads are failing on some setups (and this will likely grow in future, as more installations deprecate these older insecure certificates). Not sure if this is the best place to report this, but it needs to go to the WCG web server admins... Reason is that WCG uses https for uploads, however the CA (certificate authority) that has signed the upload server certificate uses a weak 1024 bit RSA key. Mozilla (which is the source for the CA certificate list on my boinc version, and many others) stopped trusting these older keys more than a year ago, and these changes are slowly being rolled out to client machines: https://blog.mozilla.org/security/2015/01/28/...s-with-1024-bit-rsa-keys/ boinc on my platform uses the mozilla key bundle (amongst others), and other platforms and builds are taking the same policy over time. debug output showing weak key below:
Boinc debug output: Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info: Connected to cleanenergy.worldcommunitygrid.org (140.247.231.147) port 443 (#36) |
||
|
TimSmall
Cruncher Joined: Apr 14, 2009 Post Count: 7 Status: Offline Project Badges: |
FWIW, as a workaround it's possible to make boinc (only) trust the deprecated Thawte CA by placing/adding the contents of the file:
https://www.thawte.com/roots/thawte_Premium_Server_CA.pem in a file called "ca-bundle.crt" in the boinc work directory... It's not really the right fix tho', and the World Community Grid server admins need to get some new server certificates issued and installed... Cheers, Tim. |
||
|
SekeRob
Master Cruncher Joined: Jan 7, 2013 Post Count: 2741 Status: Offline |
You're not the first developing peer certificate issues https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38798 though this now seems to focus on the Clean Energy server connection.
|
||
|
TimSmall
Cruncher Joined: Apr 14, 2009 Post Count: 7 Status: Offline Project Badges: |
Actually, it's more subtle that I thought - whilst the workaround will still works for the reasons given, the server SSL cert is in better shape than it appears, because one of the intermediate CAs in the trust chain is a 2048 bit RSA key, and is also in the Mozilla trusted CA list.
The problem is that the OpenSSL library version 1.0.1k on Debian 8 (and other Linux distros) ignores this intermediate "alternative verification path", and insists on checking the deepest CA path only. Debian 9 uses 1.0.2f openssl which is more flexible in its checking behaviour, and so verifies the server cert successfully. Other BOINC client setups which both use older openssl libraries, and have also removed the older weak key will also show the same failures. |
||
|
Tern
Cruncher Joined: Nov 27, 2015 Post Count: 15 Status: Offline Project Badges: |
The .crt file either finally worked (after not working yesterday - maybe hosts rebooted? Dunno.) or something changed, both my 'hung' hosts finally got through to Harvard this afternoon. The error message, visible in Firefox, doesn't match the error given above in this thread. I get:
140.247.231.147 uses an invalid security certificate. The certificate is only valid for cleanenergy.worldcommunitygrid.org (Error code: ssl_error_bad_cert_domain) Problem solved - for me, for now - but this obviously still needs to be addressed, or many more folks will start having the problem soon. Thanks for all who contributed to the workaround. |
||
|
knreed
Former World Community Grid Tech Joined: Nov 8, 2004 Post Count: 4504 Status: Offline Project Badges: |
Since the two servers that host the uploads to cleanenergy.worldcommunitygrid.org are run by Harvard, they have a separate certificate. It is indeed signed with SHA-1.
We are working to get a new certificate installed that is signed with SHA-2. It will then be the same type of installation configured as described in: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38805 We hope to have this in place within the next week. |
||
|
|