Bug#445906: boinc-client: SSL fails with ca-bundle.crt linked to ca-certificates

Frank S. Thomas frank at thomas-alfeld.de
Tue Oct 9 23:36:47 UTC 2007 

tags 445906 + unreproducible
thanks

Hi Greg,

On Tuesday 09 October 2007, Greg Norris wrote:
> Package: boinc-client
> Version: 5.10.8-2
> Severity: normal
>
> With the supplied ~boinc/ca-bundle.crt, which is a symlink to
> /etc/ssl/certs/ca-certificates.crt, boinc-client is unable to
> communicate with the World Community Grid project (which requires SSL).
> The logfile shows the following error messages: 

> 2007-10-05 20:21:50 [World Community Grid] Scheduler request failed: Peer certificate cannot be
> authenticated with known CA certificates 

> After replacing the symlink with ca-bundle.crt from upstream, everything
> works as expected.

I've now done what I've should done first, I attached WCG to my client
and everything seems work as expected. The client was able to download
WCG's application and is now running the FightAIDS at Home. After enabling
HTTP debugging messages in /etc/boinc_client/cc_config.xml, the client
reports now the following about SSL while ca-bundle.crt still points to
/etc/ssl/certs/ca-certificates.crt:

2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: About to connect() to secure.worldcommunitygrid.org port 443 (#0)
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info:   Trying 129.33.89.133... 
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: About to connect() to secure.worldcommunitygrid.org port 443 (#1)
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info:   Trying 129.33.89.133... 
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: Connected to secure.worldcommunitygrid.org (129.33.89.133) port 443 (#0)
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: successfully set certificate verify locations:
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info:   CAfile: ca-bundle.crt
  CApath: none
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv2, Client hello (1):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: Connected to secure.worldcommunitygrid.org (129.33.89.133) port 443 (#1)
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: successfully set certificate verify locations:
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info:   CAfile: ca-bundle.crt
  CApath: none
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv2, Client hello (1):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, Server hello (2):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, CERT (11):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, Server finished (14):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, Client key exchange (16):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS change cipher, Client hello (1):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, Finished (20):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS handshake, Server hello (2):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS handshake, CERT (11):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS handshake, Server finished (14):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS handshake, Client key exchange (16):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS change cipher, Client hello (1):
2007-10-10 01:16:29 [---] [http_debug] [ID#13] info: SSLv3, TLS handshake, Finished (20):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS change cipher, Client hello (1):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSLv3, TLS handshake, Finished (20):
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSL connection using AES256-SHA
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: Server certificate:
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: 	 subject: /C=US/O=Argonne National Laboratory/OU=MCS Division, Argonne National Laboratory/CN=secure.worldcommunitygrid.org
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: 	 start date: 2006-10-04 21:06:55 GMT
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: 	 expire date: 2008-10-15 21:38:33 GMT
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: 	 common name: secure.worldcommunitygrid.org (matched)
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: 	 issuer: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
2007-10-10 01:16:29 [---] [http_debug] [ID#12] info: SSL certificate verify ok.

Could you please enable http_debug in your cc_config.xml by setting the
value of the http_debug element to 1, restart the client and then post
the relevant debugging messages from ~boinc/stdoutdae.txt.

Thanks and regards,
Frank
-- 
  ,''`.  Frank S. Thomas <frank at thomas-alfeld.de>
 : :' :  http://frank.thomas-alfeld.de
 `. `'   GPG Key ID: 0xDC426429
   `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-boinc-devel/attachments/20071010/f4eb5598/attachment.pgp

More information about the pkg-boinc-devel mailing list