Upcoming SSL/TLS security updates / old BOINC client support

Link
Link
Joined: 15 Mar 20
Posts: 121
Credit: 10120122
RAC: 54009

pvh wrote: As requested,

pvh wrote:

As requested, here is the log out

2020-05-29T21:28:38 CEST | Einstein@Home | update requested by user
2020-05-29T21:28:41 CEST | Einstein@Home | Fetching scheduler list
2020-05-29T21:28:43 CEST |  | Project communication failed: attempting access to reference site
2020-05-29T21:28:46 CEST |  | Internet access OK - project servers may be temporarily down.


So the same as Mike Davies. This is on openSUSE linux 15.1 and the 7.16.6 client. I have a ton of WUs sitting "ready to report" but cannot report them...

Please enable <http_debug> in cc_config.xml, this doesn't tell us anything more than that the request failed and that your internet connection is OK.

.

Link
Link
Joined: 15 Mar 20
Posts: 121
Credit: 10120122
RAC: 54009

Gary Roberts wrote: Mike

Gary Roberts wrote:

Mike Davies wrote:
I too am having problems. This is the boinc client as currently available in the Android Playstore which is version 7.4.53. Looks like the problem is with CA certificates.

Yes, that's given in the event log as the real problem (5th line in what you posted).

If you have a more recent installation that is working, you could try copying the certificates file (ca-bundle.crt) from the BOINC data directory on the working machine and use it to replace the corresponding file on the non-working machine.  If you then restart BOINC, it should start working.

Actually IIRC you don't need to restart BOINC as it's reading the file each time (or maybe I clicked on "read config files", but for sure not restarted it), the tricky part is to give BOINC the right to read it, when I copied it on my phone it was r--r--r--, it needs to be rw-rw-rw- (or in TotalCommander it was also called "666"). Don't ask me why, but the first generated messages in the log, that BOINC can't open the file, so I just changed to what all other files in that folder were.

For both, the copying and changing the access rights you need root. You also need to change the access rights of the folder, to which you want to copy the file to rwxrwxrwx, otherwise you might not be able to copy the file in there, at least I couldn't.

.

computezrmle
computezrmle
Joined: 15 Jun 08
Posts: 2
Credit: 1653520044
RAC: 1204965

Gary Roberts schrieb: ... 

Gary Roberts wrote:

...  If you then restart BOINC, it should start working.

This worked for me on an opensuse machine, except that there was no need to restart the client.
Just replace ca-bundle.crt with a recent version and click on the update button to contact the project.

 

Mike Davies
Mike Davies
Joined: 12 Mar 11
Posts: 10
Credit: 57035716
RAC: 89679

Gary Roberts wrote: If you

Gary Roberts wrote:

If you have a more recent installation that is working, you could try copying the certificates file (ca-bundle.crt) from the BOINC data directory on the working machine and use it to replace the corresponding file on the non-working machine.  If you then restart BOINC, it should start working.

Yeah, well, I would if I could. I don't know where the Boinc App stores that file on the phone. I do not have root privs.

I have found out how to update CA certs in Android (Settings->Security->Credential Storage) and I can install from memory/SD Card, but it doesn't like ca-bundle.crt. I think it has to be a .pem or something.

Specifically, which cert from the bundle needs to be updated ?

pvh
pvh
Joined: 7 Mar 11
Posts: 9
Credit: 1351844821
RAC: 96988

Mikey, that makes perfect

Mikey, that makes perfect sense. Since I upgraded, I have never been able to successfully contact the server, so it has no way of knowing that I upgraded. And yes, I did reboot after the upgrade.

pvh
pvh
Joined: 7 Mar 11
Posts: 9
Credit: 1351844821
RAC: 96988

OK, enabled debugging and

OK, enabled debugging and found that ca-bundle.crt still needed to be updated. I have done that manually and now I can contact the servers. Thanks for the help!

mikey
mikey
Joined: 22 Jan 05
Posts: 12684
Credit: 1839091974
RAC: 3806

pvh wrote: OK, enabled

pvh wrote:

OK, enabled debugging and found that ca-bundle.crt still needed to be updated. I have done that manually and now I can contact the servers. Thanks for the help!

WOO HOO!!!

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 984
Credit: 25171438
RAC: 34

Hi everyone, sorry for the

Hi everyone,

sorry for the prolonged absence but we had a national holiday yesterday.

Ok, if I've parsed all latest comments correctly pvh got he CA bundle updated which solved the problem for him. That leaves Mike Davies. Mike, if your plan is to update Android's CA list itself, then I'm almost 100% sure that it won't help. BOINC on Android doesn't use Android's CA list, AFAIK, it comes with its own. You can't update that file within the app without root access on you Android device. But there's hope. Follow the discussion in the Android-specific thread.

Cheers,
Oliver

Einstein@Home Project

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 984
Credit: 25171438
RAC: 34

Good news everyone!We

Good news everyone!

We were notified that there's now a way to support older BOINC clients again - Kudos to Tristan! We've now deployed an alternative certificate chain that should support clients as of version 7.2.4, so that also includes the current Android stable release. A remaining requirement for that relaxed version constraint is the effective use of OpenSSL >= 1.0.1, though. That means BOINC needs to use the operating system's OpenSSL library instead of its own (e.g. on Linux) and the OS has to be recent enough to provide OpenSSL 1.0.1 or later. Otherwise the minimum BOINC version is back to 7.4.36 again.

Happy crunching!

Oliver

 

Einstein@Home Project

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.