Bug#813468: boinc-client: Some https connections fail due to Debian Jessie openssl and ca-certificate interactions
Tim Small
tim at seoss.co.uk
Tue Feb 2 10:25:14 UTC 2016
Package: boinc-client
Version: 7.4.23+dfsg-1
Severity: normal
Connections by boinc to upload work data to
https://cleanenergy.worldcommunitygrid.org/ are failing. This is due to
a problem with the Jessie OpenSSL infrastructure. The server TLS/SSL
certificate is signed like this:
1. cleanenergy Server Cert
2. Newish Thawte 2048 bit RSA CA (which is in Debian's
ca-certificates package) signs [cleanenergy Server Cert].
3. Older Thawte 1024 bit RSA CA (which has recently been removed from
Debian's ca-certificates package) signs [signs Newish Thawte 2048 bit
RSA CA].
Most browsers (e.g. Chrome, Firefox) will stop at 2. because that's a
certificate which is in the system CA list, despite the fact that they
also no longer trust 1024 bit CAs.
Openssh as shipping in Jessie will instead attempt to verify 3. and
fail with "verify error:num=20:unable to get local issuer certificate".
A workaround is (I think) to place a copy of the old 1024 bit cert in
/var/lib/boinc-client/ca-bundle.crt - this works, but I haven't been
able to verify if this will break other SSL connections. The debug
output says:
World Community Grid | [http] [ID#18] CAfile: ca-bundle.crt
World Community Grid | [http] [ID#18] Info: CApath: /etc/ssl/certs
So I'm hoping that it'll use both (thus not breaking connections to
other sites). If that doesn't work, then I suppose it'd need to append
the older certificate to the contents of
/var/lib/boinc-client/ca-bundle.crt instead, however I don't have good
way of checking as my boinc client is currently only connecting to https
URLs which are signed by the older Thawte 1024 bit cert.
Stretch isn't impacted by this, as it uses a newer OpenSSH version which
will (by default I believe) "stop at 2." instead, certainly it seems to
do what I expect when using:
openssl s_client -connect cleanenergy.worldcommunitygrid.org:443 -prexit
from within a Stretch chroot.
. This appears to be a backport for the functionality in question to
Jessie's openssl:
https://gist.github.com/h-yamamo/adf44638a1a04b8e86ea
... but I've not tried it.
Related forum thread:
https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38798
Tim.
More information about the pkg-boinc-devel
mailing list