On 2018-01-12, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2018-01-12, dmitry.sensei <dmitry.sen...@gmail.com> wrote:
>> Strange message from syspatch:
>> # syspatch
>> ftp: SSL write error: no OCSP URLs in peer certificate
>> #
>
> Simplest workaround is to download the files yourself and use a local
> url in /etc/installurl, e.g. file:///tmp/syspatch.
>
>> what does this message mean and what to check?
>>
>> OpenBSD 6.2-stable GENERIC.MP#2 amd64
>>
>> we have a fortinet in the middle. Previously, it did not interfere with the
>> utility, since I added its certificate
>
> Most likely the fortinet doesn't include any OCSP URL in its MITM
> certificate, but just to be sure, which mirror? (cat /etc/installurl),
> and what's in the cert?
>
> $ openssl s_client -connect $hostname:443 -servername $hostname
>
> then copy the server cert and paste into "openssl x509 -text -noout".
dmitry sent it offlist, it's a typical mitm creating a new cert based
on the original but modified. mirror is ftp.openbsd.org; compared to
the real cert the changes are:
- changed Serial Number, modulus, signature, issuer (obviously).
- following sections removed:
X509v3 Extended Key Usage:
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Certificate Policies:
- changed subject(!)
- Subject: CN=www.openbsd.org
+ Subject: CN=www.openbsd.org, L=<1543 spaces>
obviously it's the missing AIA that's causing the problem for libtls/ftp.
