Index  | Recent Threads  | Unanswered Threads  | Who's Active  | Guidelines  | Search
 
World Community Grid Forums
  Category: Support
  Forum: Website Support
  Thread: secure.worldcommunitygrid.org SSL cert chain causing issues

Quick Go ยป
No member browsing this thread
Thread Status: Active
Total posts in this thread: 3
[ Jump to Last Post ]
Post new Thread
Author
Previous Thread This topic has been viewed 1203 times and has 2 replies Next Thread
matt2300
Cruncher
Joined: Oct 26, 2016
Post Count: 2
Status: Offline
Project Badges:
Reply to this Post  Reply with Quote 
confused secure.worldcommunitygrid.org SSL cert chain causing issues
Hi all -- I recently installed boinc/boinc-client version 7.4.23+dfsg-1 (Debian package for Jessie) and while I can add a project for other sites, I cannot add the project for WCG. The problem seems to be with the CA chain presented by the login server. In the event log (with http set under diagnostic flags) I see:


28-Nov-2016 14:46:43 [---] [http] HTTP_OP::init_get(): https://secure.worldcommunitygrid.org/boinc/l...&passwd_hash=REDACTED
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  Hostname was NOT found in DNS cache
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:    Trying 198.20.8.246...
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  Connected to secure.worldcommunitygrid.org (198.20.8.246) port 443 (#11)
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  successfully set certificate verify locations:
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:    CAfile: ca-bundle.crt
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:    CApath: /etc/ssl/certs
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  SSLv3, TLS handshake, Client hello (1):
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  SSLv3, TLS handshake, Server hello (2):
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  SSLv3, TLS handshake, CERT (11):
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  SSLv3, TLS alert, Server hello (2):
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  SSL certificate problem: self signed certificate in certificate chain
28-Nov-2016 14:46:44 [---] [http] [ID#3] Info:  Closing connection 11
28-Nov-2016 14:46:44 [---] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
28-Nov-2016 14:46:45 [---] Project communication failed: attempting access to reference site
28-Nov-2016 14:46:45 [---] [http] HTTP_OP::init_get(): http://www.google.com/
28-Nov-2016 14:46:45 [---] [http] [ID#0] Info:  Connection 10 seems to be dead!
28-Nov-2016 14:46:45 [---] [http] [ID#0] Info:  Closing connection 10
28-Nov-2016 14:46:45 [---] [http] [ID#0] Info:  Hostname was NOT found in DNS cache
28-Nov-2016 14:46:46 [---] [http] [ID#0] Info:    Trying 2607:f8b0:4006:809::2004...
28-Nov-2016 14:46:47 [---] [http] [ID#0] Info:  Connected to www.google.com (2607:f8b0:4006:809::2004) port 80 (#12)
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: GET / HTTP/1.1
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: User-Agent: BOINC client (x86_64-pc-linux-gnu 7.4.23)
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: Host: www.google.com
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: Accept: */*
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: Accept-Encoding: deflate, gzip
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: Content-Type: application/x-www-form-urlencoded
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: Accept-Language: en_US
28-Nov-2016 14:46:47 [---] [http] [ID#0] Sent header to server: 
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: HTTP/1.1 200 OK
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Date: Mon, 28 Nov 2016 22:46:47 GMT
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Expires: -1
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Cache-Control: private, max-age=0
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Content-Type: text/html; charset=ISO-8859-1
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Content-Encoding: gzip
28-Nov-2016 14:46:47 [---] [http] [ID#0] Info:  Server gws is not blacklisted
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Server: gws
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Content-Length: 4802
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: X-XSS-Protection: 1; mode=block
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: X-Frame-Options: SAMEORIGIN
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: Set-Cookie: NID=91=dvbwI-CXzdHStMj3klMwtDkld82E92yFeqQ0bQJFWcByomm0lRKbCOp1GSU6q17qNl3JFPsZp8lKAKPMJMiPeN9DDd0aELKQvPji_yjFkE
rTzX662-6wp6yawcp2NUPKwj1fl4lgzABKkw; expires=Tue, 30-May-2017 22:46:47 GMT; path=/; domain=.google.com; HttpOnly
28-Nov-2016 14:46:47 [---] [http] [ID#0] Received header from server: 
28-Nov-2016 14:46:47 [---] [http_xfer] [ID#0] HTTP: wrote 844 bytes
28-Nov-2016 14:46:48 [---] [http_xfer] [ID#0] HTTP: wrote 10241 bytes
28-Nov-2016 14:46:48 [---] [http] [ID#0] Info:  Connection #12 to host www.google.com left intact
28-Nov-2016 14:46:48 [---] Internet access OK - project servers may be temporarily down.


I have tried adding both the wildcard cert for secure.worldcommunitygrid.org and the 'thawte SSL CA - G2' cert into my local CA file. openssl can verify the wcg cert now, but still complains about the self-signed intermediate cert. I already have the other Thawte CA certs in my CA store.

The Thawte SSL checker tool sees the cert installed but has these alerts:

secure.worldcommunitygrid.org
Warnings

Root installed on the server.
For best practices, remove the self-signed root from the server.

RSA remove cross certificates
The certificate chain contains a cross root (primary intermediate) certificate that should be removed. Use Symantec CryptoReport to remove cross root certificates.


Anyone else have this issue and/or a workaround? thanks!
[Nov 28, 2016 11:06:27 PM]   Link   Report threatening or abusive post: please login first  Go to top 
Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline
Reply to this Post  Reply with Quote 
Re: secure.worldcommunitygrid.org SSL cert chain causing issues
Please check the Community-maintained FAQs....
[Nov 29, 2016 1:58:17 AM]   Link   Report threatening or abusive post: please login first  Go to top 
matt2300
Cruncher
Joined: Oct 26, 2016
Post Count: 2
Status: Offline
Project Badges:
Reply to this Post  Reply with Quote 
Re: secure.worldcommunitygrid.org SSL cert chain causing issues
Ah ok so it is a conflict of the chain wrt to the newer root CA cert from Thawte, and more particularly, the alternate chain functionality in OpenSSL not making it into given Debian releases which had removed the 1024 bit CA cert from their CA bundle file. whew. :-D I really thought I had searched the forum for similar info but I wasn't successful. Thank you for the reply!

For now I'm doing the fix of: static copy of an updated BOINC ca-bundle.crt which I grabbed from Github. Will update my Debian install later since it's a remote server.

others looking for the WCG forums faq entry on this, check:
https://www.worldcommunitygrid.org/forums/wcg/viewthread_thread,38805

It looks as though OpenSSL added support for alternate chain paths in 1.0.1n; Debian did not have that code until the release of Debian package openssl 1.0.1t-1+deb8u3
[Dec 3, 2016 7:29:00 PM]   Link   Report threatening or abusive post: please login first  Go to top 
[ Jump to Last Post ]
Post new Thread