BOINC and SSL intercepting IDS

Message boards : Questions and problems : BOINC and SSL intercepting IDS
Message board moderation

To post messages, you must log in.

AuthorMessage
Andreas

Send message
Joined: 2 Feb 18
Posts: 3
Switzerland
Message 84629 - Posted: 2 Feb 2018, 12:13:49 UTC

Dear all,

I'm running an IDS/IPS which intercepts SSL comminucations.

So far can't join any project, always getting something like:
2/2/2018 11:54:45 AM | | Fetching configuration file from http://einstein.phys.uwm.edu/get_project_config.php
2/2/2018 11:54:53 AM | | Project communication failed: attempting access to reference site
2/2/2018 11:54:55 AM | | BOINC can't access Internet - check network connection or proxy configuration.

BOINC manager 7.8.2 under Windows 10

Is there a way to configure BOINC to ignore SSL certificate errors or to add the CA certificate?

Regards,
Andreas
ID: 84629 · Report as offensive
Richard Haselgrove
Volunteer moderator
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 3017
United Kingdom
Message 84630 - Posted: 2 Feb 2018, 14:04:03 UTC - in response to Message 84629.  

BOINC's SSL certificates are stored in a file called ca-bundle.crt, which you can find in the BOINC program directory.

We are about to start using a new version of this file, which you can find in https://github.com/BOINC/boinc/tree/master/curl - it would be helpful if you could download this new file and see if it resolves your problem.

If not, you should be able to add your own certificate using a plain-txt editor - despite the name, the file and the certificates within it are stored in simple ASCII format.
ID: 84630 · Report as offensive
Andreas

Send message
Joined: 2 Feb 18
Posts: 3
Switzerland
Message 84635 - Posted: 2 Feb 2018, 19:22:47 UTC - in response to Message 84630.  

Hi Richard,

thanks a lot for your help.
I added the certificate of my CA and now everything works as expected.

Regards,
Andreas
ID: 84635 · Report as offensive
Richard Haselgrove
Volunteer moderator
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 3017
United Kingdom
Message 84636 - Posted: 2 Feb 2018, 20:12:29 UTC - in response to Message 84635.  

Did you try the new version of the file?

Is the CA you added a purely private one, or one we should add to the generic bundle for other people with the same problem?
ID: 84636 · Report as offensive
Andreas

Send message
Joined: 2 Feb 18
Posts: 3
Switzerland
Message 84637 - Posted: 3 Feb 2018, 0:08:56 UTC - in response to Message 84636.  

It is a purely private CA.
My firewall/IDS intercepts all SSL connections and creates certificates on the fly.
These are signed by the CA I needed to add.
ID: 84637 · Report as offensive

Message boards : Questions and problems : BOINC and SSL intercepting IDS

Copyright © 2018 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.