SSL certificate issue in Debian boinc-client

Christian Beer djangofett at gmx.net
Sat Feb 20 08:03:27 UTC 2016 

Hello Gianfranco,


>
> unfortunately we (never?) shipped any custom bundled ca certificate for boinc, and we rely on the system one (if I understand correctly what I'm looking at).
> There isn't even a ca file inside the source code directory, so I don't even know how to add one, and more important how to maintain it.

I saw that too when I tried to find another workaround.


> 
> I seriously doubt maintaining an additional ca certificate list is feasible, specially for an already released jessie distribution.
> 
> I think -release won't accept such hack, and I wouldn't accept as maintainer it.
> This is an issue on the system, affecting boinc, and every other program trying to reach the remote website.
> (I don't think wget and curl works, right?).
> What did cause the regression should also try to fix it. We can't fix other tool faults, specially when it comes to security, and maintaining additional security work (that is forbidden here).

That is what I was aiming for. The regression happened with a
ca-certificates update but the maintainer does not want to revert
because it really is a flaw in the openssl version in Jessie. Some
people on the ca-certificates bug recommended an application specific
solution like including the removed but valid root certificates in boinc
or other affected packages. But I also don't think that is usefull but
waiting for half a year isn't usefull either so I'm looking for a
quicker solution.

> 
> If the certificate expired, they should renew it, if a stable upgrade broke something it should be reverted.
> Unless I'm missing something, there is nothing we can do in boinc side.

Nothing expired here. Mozilla decided it is a good thing to remove root
certificates that are signed using SHA1 and Debian followed suite. But
the removal of those (still valid) certificates in Jessie uncovered the
Bug in openssl (which mainly affects curl on Jessie (wget is working).
I don't know how to escalate the ca-certificates bug so someone is
reverting the change there. The security team won't like this also
because they will consider the SHA1 certificates as insecure. But they
also do not allow an upgrade of openssl because this will pull in new
features.

So the question is: How can I get the ca-certificates maintainers to
revert there change? By elevating the Bug to release critical?

Thanks for your time anyway.

More information about the pkg-boinc-devel mailing list