I would like to eventually like to change the Windows build so that libcurl uses schannel instead of openssl. We would then be able to drop the ca-bundle from the client release.
I attempted to do this for the next public client release cycle, but ran into problems because the core client uses openssl for validating project certificates. Ideally, we should try to push the certificate store issue to the OS. Debian, Ubuntu, Apple, Microsoft would all be better at maintaining the certificate store infrastructure. ----- Rom -----Original Message----- From: boinc_dev [mailto:[email protected]] On Behalf Of Christian Beer Sent: Thursday, November 26, 2015 9:21 AM To: BOINC Developers Mailing List <[email protected]> Subject: [boinc_dev] SSL support of BOINC Hi, we recently experimented with a https scheduler URL which failed because older clients can't verify the certificate of the server. I then began to investigate what is needed to have the project in full SSL mode (master and scheduler URL as https). The problematic part seems to be windows hosts that have a ca-bundle shipped with the installer. The main problem is that the certificate used on our scheduler server uses a Root CA that is only present in the ca-bundle.crt since July 11 2013 which would mean a 7.2.4 Client. But this seems to be wrong because the installer I downloaded from boinc.berkeley.edu/dl/ does contain the old ca-bundle from before July 11 2013. The first occurrence of the updated ca-bundle I have found was in the 7.3.2 development release roughly a year later. Is this correct? This means that the really usable and stable Version that we could recommend to upgrade to is 7.4.42 at this point. Which to us seems almost impossible to achieve even if we would send out a reminder every month. We are currently looking into how to get a cross signed certificate that is present in the old ca-bundle and still valid. I think this is also something to tell projects about if they decide to switch to SSL at some point and give some hints on what certificates work with older clients. And for the future we should make sure that an updated ca-bundle is committed and that it is also included in the installer package at this time. Regards Christian _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
