HTTPS/SSL certificate updated

Message boards : Server backend and mirrors : HTTPS/SSL certificate updated
Message board moderation

To post messages, you must log in.

Previous · 1 · 2

AuthorMessage
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14240 - Posted: 1 Jan 2016, 17:15:05 UTC
Last modified: 1 Jan 2016, 17:15:31 UTC

Fortunately the new BOINC client is now official with a more recent version of OpenSSL.

Unfortunately like stated earlier, anyone that has opted into this HTTPS beta test that updates their BOINC client will now get annoying notifications every time there's a scheduler request.

Hopefully when you're back you can just make it official.
ID: 14240 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Velociraptor

Send message
Joined: 17 Dec 06
Posts: 18
Credit: 8,400
RAC: 0
Message 14247 - Posted: 2 Jan 2016, 11:21:41 UTC
Last modified: 2 Jan 2016, 11:26:45 UTC

Hej,
strangely it says that some sits have broken SSL but I cant really figur out why maybe some hardcoded http or some pictures liked?

edit: maybe you could redirect all http to https ;)?

edit2: a found it ... seems like the Picture of the Users are hardcoded http http://burp.renderfarming.net/img/head_20.png
ID: 14247 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14264 - Posted: 11 Jan 2016, 23:08:35 UTC

Have you recovered enough to resolve said issues? :)
ID: 14264 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4574
Credit: 2,100,463
RAC: 8
Message 14265 - Posted: 12 Jan 2016, 16:02:29 UTC
Last modified: 12 Jan 2016, 16:29:35 UTC

Hehe somewhat - it seems it is a little bit more messy with the clients than originally hoped: some of the older clients have old certificate systems and old OpenSSL versions that do not perform well with the new https on the server.
Luckily we aren't alone in pushing HTTPS for BOINC - other people have the same silly little problems (like the being hardcoded to HTTP etc. inside BOINC) and it seems that progress is being made everywhere, just somewhat slowly.

The GUI URLs for "Your Account", "Help" and "Team" in the client are now pointing the right way. "Home page" seems to be hardcoded to the master URL - which will eventually be HTTPS.
ID: 14265 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14266 - Posted: 12 Jan 2016, 22:09:24 UTC - in response to Message 14265.  

Hehe somewhat - it seems it is a little bit more messy with the clients than originally hoped: some of the older clients have old certificate systems and old OpenSSL versions that do not perform well with the new https on the server.


Actually I was wondering about this when I posted a week or so back. When I checked, pretty much everyone with a recent credit score was using v7+ of the client, which includes OpenSSL. So I'm not sure what issues you'd envision, the server supports TLS 1.0 fine for older clients.
ID: 14266 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14270 - Posted: 22 Jan 2016, 19:18:14 UTC - in response to Message 14266.  

Actually I was wondering about this when I posted a week or so back. When I checked, pretty much everyone with a recent credit score was using v7+ of the client, which includes OpenSSL. So I'm not sure what issues you'd envision, the server supports TLS 1.0 fine for older clients.


Bump.

Can we also get the main files (the files hosted at burp.renderfarming.net/download/) changed to HTTPS? At this point in time that would be infozip_license and the blender files. There should be no real performance loss in doing this because 1) the files are only every downloaded once 2) they are rarely changed, only when there's a new blender, if that and 3) the files won't be downloaded by many people at the same time like a newly approved project would be.

In regards to windows_unzip and windows_zip, these should be removed entirely as Windows has built in support for zip/unzip since XP.
ID: 14270 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14292 - Posted: 30 Jan 2016, 15:39:24 UTC

Since the issues are still not resolved I pushed an HTTPS Everywhere rule upstream to force HTTPS which works around the problem of various pages constantly forcing back to HTTP and the lack of a secure cookie.

https://github.com/EFForg/https-everywhere/commit/d34c1d496821af9e1e4cd9af342cd6385b39d257
ID: 14292 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4574
Credit: 2,100,463
RAC: 8
Message 14293 - Posted: 30 Jan 2016, 17:32:52 UTC

That is actually a fairly good solution while the rest of the issues are worked out.

Also currently evaluating whether to keep using the StartCom certificate or whether to switch to a bunch of "Let's Encrypt" certificates or go with a 3rd provider (there are opensource-friendly ones out there). The StartCom one has some annoying restrictions (like only 1 domain) and are tied to a person whereas the "Let's Encrypt" ones are tied to each virtual server instance and hence allows multiple domains and subdomains with most modern browsers.
ID: 14293 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4574
Credit: 2,100,463
RAC: 8
Message 14312 - Posted: 2 Mar 2016, 18:18:04 UTC
Last modified: 2 Mar 2016, 18:29:01 UTC

For those of you taking part in our HTTPS test we will now be extending it to HTTP/2 as well. The "normal" HTTP site is still HTTP/1.1.

HTTP/2 is the successor of SPDY which was an improvement (made by Google) of the HTTP/1.1 protocol. In reality it shouldn't matter too much but for browsers supporting it there should be a small speedup - especially on initial connections. As there are still some problems with unencrypted content on pages that are encrypted you will not yet get the full speedup but work is being done on that part too.
ID: 14312 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14313 - Posted: 3 Mar 2016, 15:42:18 UTC - in response to Message 14312.  

For those of you taking part in our HTTPS test we will now be extending it to HTTP/2 as well. The "normal" HTTP site is still HTTP/1.1.

HTTP/2 is the successor of SPDY which was an improvement (made by Google) of the HTTP/1.1 protocol. In reality it shouldn't matter too much but for browsers supporting it there should be a small speedup - especially on initial connections. As there are still some problems with unencrypted content on pages that are encrypted you will not yet get the full speedup but work is being done on that part too.


Good timing. A new beta of the BOINC client was released with a new version of cURL (and OpenSSL for that matter) which has various HTTP/2 bugfixes. Whether it's actually enabled and the client connects over it, I'm not sure.
ID: 14313 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4574
Credit: 2,100,463
RAC: 8
Message 14708 - Posted: 3 Sep 2016, 19:22:06 UTC

The server certificate was updated.

Last year we got rid of SHA1 fingerprints on our own certificate and this year we also have a Certificate Authority chain with updated SHA fingerprints in the chain.
ID: 14708 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4574
Credit: 2,100,463
RAC: 8
Message 15145 - Posted: 17 May 2017, 18:37:49 UTC
Last modified: 17 May 2017, 19:40:47 UTC

Working on switching to LetsEncrypt as CA - expect some issues with HTTPS for a few days.

[Edit:] Ended up taking just 48 mins to set up. Hopefully no issues
ID: 15145 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Previous · 1 · 2

Message boards : Server backend and mirrors : HTTPS/SSL certificate updated