Hey,

I checked SSL support for all BOINC projects yesterday in the following thread:
https://boinc.berkeley.edu/dev/forum_thread.php?id=10973

The users in the thread suggested reaching out to all affected projects, so here I am!

Rossetta@Home only has a 'C' ranking according to ssllabs: https://www.ssllabs.com/ssltest/analyze.html?d=www.malariacontrol.net

Would it be possible to reconfigure your SSL certificate/settings to be better than C?

Thanks

The URL you posted points to another BOINC project. Here is the link for R@h
https://www.ssllabs.com/ssltest/analyze.html?d=boinc.bakerlab.org

I've EMailed DK asking he check it out.

---

Rosetta Moderator: Mod.Sense

Howdy. I'll look into this and see what I we can do. -KEL

---

1) All servers but one(128.95.160.140) have rating F.

At minimum, on all servers must be set only strong encryption(

SSLCipherSuite HIGH:!kECDH:!aNULL:!eNULL:!PSK:!DSS:!MD5

)to solve:

This server supports insecure cipher suites (see below for details). Grade set to F.

2)To solve:

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

It's needed to upgrade OpenSSL at least to 1.0.1 branch(1.0.1u last) and set:

SSLProtocol All -SSLv2 -SSLv3


3) To solve:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

It's needed to upgrade Apache at least to 2.2.30 version:

Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using SSLCertificateFile. This is supported in version 2.2.30 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

You can obtain the appropriate settings in this сonfigurator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/