SSL certificate issue in Debian boinc-client

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Thu Feb 18 23:42:52 UTC 2016 

Hi Christian,

>Hi, This is a follow-up to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812708 Since the ca-certificates maintainer wants to wait on the decision of the >Debian Release Team to decide if openssl in Jessie can be upgraded, this is still unresolved and hindering volunteers from connecting to Einstein at home and >WorldCommunityGrid if they already updated to the latest ca-certificates version. Most of them may not see that there is a problem. Can we add the Thawte Premium >Server CA certificate to the ca-bundle in the boinc-client package and get the release through to Jessie? Or are we facing a similiar problem with the Release >Team? If this is feasible, I would verify that it would actually work and at least get WCG and Einstein back into business with Jessie users. We (Einstein at home) >want the problem fixed as soon as possible. Regards
>Christian


unfortunately we (never?) shipped any custom bundled ca certificate for boinc, and we rely on the system one (if I understand correctly what I'm looking at).
There isn't even a ca file inside the source code directory, so I don't even know how to add one, and more important how to maintain it.

I seriously doubt maintaining an additional ca certificate list is feasible, specially for an already released jessie distribution.

I think -release won't accept such hack, and I wouldn't accept as maintainer it.
This is an issue on the system, affecting boinc, and every other program trying to reach the remote website.
(I don't think wget and curl works, right?).
What did cause the regression should also try to fix it. We can't fix other tool faults, specially when it comes to security, and maintaining additional security work (that is forbidden here).

If the certificate expired, they should renew it, if a stable upgrade broke something it should be reverted.
Unless I'm missing something, there is nothing we can do in boinc side.

BTW, maybe a flag "unsecure boinc communication mode" can be added by upstream, if it helps when certificate is expired.

But security shouldn't be really an optional, and moving certificates from a system location, to a boinc-specific one isn't really an option
(also -security team won't allow this, I think).

sorry, but we have to find another way, and I'm not even sure I understood the root reason for all this issue.

cheers,

G.

More information about the pkg-boinc-devel mailing list