On 2018-01-12, dmitry.sensei <dmitry.sen...@gmail.com> wrote: > Strange message from syspatch: > # syspatch > ftp: SSL write error: no OCSP URLs in peer certificate > #
Simplest workaround is to download the files yourself and use a local url in /etc/installurl, e.g. file:///tmp/syspatch. > what does this message mean and what to check? > > OpenBSD 6.2-stable GENERIC.MP#2 amd64 > > we have a fortinet in the middle. Previously, it did not interfere with the > utility, since I added its certificate Most likely the fortinet doesn't include any OCSP URL in its MITM certificate, but just to be sure, which mirror? (cat /etc/installurl), and what's in the cert? $ openssl s_client -connect $hostname:443 -servername $hostname then copy the server cert and paste into "openssl x509 -text -noout". CA/B Forum requires an OCSP URL in certs unless stapling is used. But I don't see how a CA is going to know whether stapling is used so I would expect certs from the cabal to always have this set so we're unlikely to run into this with normal servers. So, although we're unlikely to bump into problems with this code without MITM, I think libtls may be going a little beyond usual requirements in needing this.
