wiki:SecureHttp

Using Secure Socket Layer (SSL)

We encourage you to enable SSL on your project's web servers. If you do this, and follow the instructions below, the following communication will be protected from man-in-the-middle attacks:

  • The web RPCs used for account creation, which carry volunteer email addresses.
  • HTTP requests that carry volunteer email addresses and passwords, such as the login form.

If, in addition, you use HTTPS for your scheduler URLs, scheduler requests (which carry account authenticators, which can be used to log in to accounts) will be encrypted.

To use SSL, you'll need to buy an SSL certificate. Self-signed certificates can't be used. You'll then need to change your Apache configuration to enable SSL.

BOINC configuration

Add the following line to your html/project/project.inc file:

define("SECURE_URL_BASE", "https://your_url/");

where the URL is that of your HTTPS server (typically your project's master URL with "https://" at the start).

Apache configuration

Use the Linux "wget" program to test your HTTPS; it uses libcurl, same as the BOINC client.

If you use virtual hosts your Apache config file will need an entry like the following:

<VirtualHost *:443>
ServerName setiathome.berkeley.edu
DocumentRoot ... path to your /html/user
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/setiathome.berkeley.edu.SAN.cert
SSLCertificateKeyFile /etc/pki/tls/private/setiathome.berkeley.edu.SAN.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/in_common.crt
</VirtualHost> 

Intermediate CA file

Depending on where you get your SSL certificate, you may also need to get an "intermediate CA file" (also called a "chain file") from your certificate issuer. Then add a line of the form

SSLCACertificateFile /etc/apache2/path/to/chain/file

to your Apache config file. For more info see https://degreesofzero.com/article/how-to-fix-missing-intermediate-ssl-certificate-errors-in-apache.html

Apparently Android handles SSL more strictly than desktop browsers. If you're seeing SSL problems only on Android, it could be due to the above issue.

Last modified 3 years ago Last modified on 09/14/14 15:29:08