[Pkg-openssl-devel] Bug#813468: boinc-client: Some https connections fail due to Debian Jessie openssl and ca-certificate interactions

[Christian Beer]

On 02.02.2016 22:04, Tim Small wrote:
>> On Tue, Feb 02, 2016 at 03:04:41PM +0100, Christian Beer wrote:
>> > I will also reference the workaround we advise to "downgrade" the
>> > ca-certificates package:
>> > https://einstein.phys.uwm.edu/forum_thread.php?id=11760&postid=151305
> I think this is the worst solution from a security point of view, as it
> would prevent systems from revoking known-compromised CA certificates,
> should any become known (this has happened multiple times in the past)
> and be rolled out in future Debian security updates.
>
> It is also a system-wide change impacting the security of many other
> pieces of software (including ones which aren't impacted by the openssl
> bug, because they use different certificate chain verification code),
> so until Debian has a fix for this, I think I'd prefer to advise
> per-application workarounds, such as the one reference in the original
> report.

You are right that this impacts security but my goal was to provide a
short non-tech workaround so our volunteers do not get disconnected from
our servers or can reestablish the connection. Telling them to download
a certificate and cat'ing it to a file is also not a good and secure
solution. They would also need to remember and repeat this procedure
every time boinc-client gets updated.

I thought that there could be a quick fix to ca-certificates by
reintroducing cross-signed certificates that would benefit all users.
Instead I now read that it can take some more time to get this fixed.
For the affected BOINC projects it would be now the best solution to add
the "Thawte Premium Server CA" to the ca-bundle.crt shipped with
boinc-client. I'm going to test if this is used on Debian right now, it
normally is only used on Windows. But then we have to get this update
into Jessie too.

Regards
Christian