Upcoming SSL/TLS security updates / old BOINC client support

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3
Topic 220019

tl;dr:

  • Minimum BOINC version as of Nov. 27th 2019: 7.4.36
  • Minimum BOINC version as of May  25th 2020: 7.10
  • Minimum BOINC version as of July    8th 2020: 7.2.4 (if using OpenSSL >= 1.0.1) or 7.4.36


Hi everyone,

in our continuing effort to protect your data and our infrastructure we plan to remove support for the outdated TLS 1.0 and 1.1 protocols and also use a revised list of supported encryption cipher suites. What does that mean?

Whenever your web browser or BOINC client software connects to our servers an encrypted connection is being negotiated. We are configuring our servers such that the latest security best practices are in place. This can cause problems if you are using outdated, and thus insecure, web browsers or BOINC clients. Such outdated software won't be able to connect to our servers anymore but it's in your own best interest to update those anyway - now's probably a good opportunity to do so. Those who regularly update their software shouldn't run into any problems.

The minimum known supported version of BOINC will be 7.4.36 (using OpenSSL >= 1.0.1). If you want to test things you may do so right now, over at our test project albertathome.org. Please report back (here) any SSL/TLS-related connection issue you come across.

If all goes according to plan we intend to go live with the new settings on November 27th.

Looking ahead: by the end of May 2020 the old SSL/TLS certificate authority we still support for old clients (< 7.10) will expire and there's nothing we can do about that. At that time we won't be able to support those old clients anymore. Please make sure you update your BOINC client in time.
 

UPDATE below!
New UPDATE below!

Cheers, Oliver

Einstein@Home Project

Anonymous

ok.  I went to the Albert

ok.  I went to the Albert website, clicked on a bunch of links and all worked.  So does this mean I am good to go.  Or, is there something else I must do when there (on Albert).  I do not have an account on Albert so do I need to create one for test purposes?

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3

Yes, if you'd like to test

Yes, if you'd like to test your BOINC client(s) as well then you'd have to attach your client(s) to it, which requires an account. There's no need to fetch work, though. Any kind of scheduler interaction, like a work request, will do.

Oliver

Einstein@Home Project

Holmis
Joined: 4 Jan 05
Posts: 1,118
Credit: 1,055,935,564
RAC: 0

I'm attached to Albert but it

I'm attached to Albert but it has been set to no new tasks for a long time.
I tried to allow new work and Boinc connected and downloaded the master file successfully. Boinc then went on to do a work fetch and that also completed without problems, although no work was downloaded, but that's OK.
Boinc also successfully downloaded support files in form of icons, pictures and so on.

All this with Boinc 7.14.2.

I can also add that when I logged in on Albert I got to read and accept the "Terms of use" (or opt to log out or delete the account) so that also works for a returning participant that hasn't visited for a while. Wink

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3

Kudos to you, Holmis!

Kudos to you, Holmis!

Einstein@Home Project

solling2
solling2
Joined: 20 Nov 14
Posts: 219
Credit: 1,575,898,144
RAC: 50,625

Would be great if a version >

Would be great if a version > 7.10 could be included in an ubuntu package so as to avoid manual install requirement. Should be posted in an ubuntu developer wish list for 2020 therefore. :-)

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3

Hm, that should be really the

Hm, that should be really the case by now, let alone in 7 months from now. Heck, even Debian stable (Buster) provides 7.14 already...

Oliver

Einstein@Home Project

22
22
Joined: 6 Nov 11
Posts: 14
Credit: 758,329,201
RAC: 1

Concerning Linux, OpenSSL

Concerning Linux, OpenSSL (and curl and others) are not part of any BOINC package, but are instead provided by the distributions (Debian, OpenSuse, RedHat, arch ...), as they should be. That way users should have up-to-date versions of OpenSSL, even if the distribution does not offer the latest versions of BOINC, as far as I know.

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3

Yep, that's true, hence the

Yep, that's true, hence the detail about OpenSSL above Cool Thanks anyway for clarifying that some more.

Oliver

Einstein@Home Project

Keith Myers
Keith Myers
Joined: 11 Feb 11
Posts: 4,899
Credit: 18,449,588,201
RAC: 5,977,605

solling2 wrote:Would be great

solling2 wrote:
Would be great if a version > 7.10 could be included in an ubuntu package so as to avoid manual install requirement. Should be posted in an ubuntu developer wish list for 2020 therefore. :-)

So hammer on the Ubuntu package maintainers to include the latest stable BOINC release in the distro which is 7.14.2.

Not the responsibility of BOINC to manage any distro.

I would suggest running the latest 7.16.3 BOINC release which has a lot of fixes for various bugs in 7.14.2.  You can add the BOINC ppa managed by Gianfranco Costamagna at his ppa.

 Gianfranco Costamagna - BOINC ppa

 

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 981
Credit: 25,170,813
RAC: 3

Update: as announced above,

Update: as announced above, the changes have now been deployed for einsteinathome.org as well.

Cheers,
Oliver

 

Einstein@Home Project

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.