Using Secure Socket Layer (SSL)
We encourage you to enable SSL on your project's web servers. If you do this, and follow the instructions below, the following communication will be protected from man-in-the-middle attacks:
- The web RPCs used for account creation, which carry volunteer email addresses.
- HTTP requests that carry volunteer email addresses and passwords, such as the login form.
If, in addition, you use HTTPS for your scheduler URLs, scheduler requests (which carry account authenticators, which can be used to log in to accounts) will be encrypted.
To use SSL, you'll need to buy an SSL certificate. Self-signed certificates can't be used. You'll then need to change your Apache configuration to enable SSL.
Add the following line to your html/project/project.inc file:
where the URL is that of your HTTPS server (typically your project's master URL with "https://" at the start).
Use the Linux "wget" program to test your HTTPS; it uses libcurl, same as the BOINC client.
If you use virtual hosts your Apache config file will need an entry like the following:
<VirtualHost *:443> ServerName setiathome.berkeley.edu DocumentRoot ... path to your /html/user SSLEngine On SSLCertificateFile /etc/pki/tls/certs/setiathome.berkeley.edu.SAN.cert SSLCertificateKeyFile /etc/pki/tls/private/setiathome.berkeley.edu.SAN.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/in_common.crt </VirtualHost>
Intermediate CA file
Depending on where you get your SSL certificate, you may also need to get an "intermediate CA file" (also called a "chain file") from your certificate issuer. Then add a line of the form
to your Apache config file. For more info see https://degreesofzero.com/article/how-to-fix-missing-intermediate-ssl-certificate-errors-in-apache.html
Apparently Android handles SSL more strictly than desktop browsers. If you're seeing SSL problems only on Android, it could be due to the above issue.