On Wed, Nov 18, 2020 at 03:16:57PM -0800, David Newman wrote: > Do recent complaints about certificate chains [1] [2] also apply when a > client running OpenBSD 6.8 uses a self-signed cert, and there are no > intermediate certs?
This is unrelated. The complaints you mention are due to a deliberate difference between the old TLS stack and the new TLSv1.3 stack that was enabled server side in OpenBSD 6.8. We hoped that we could get away without auto chain but as it turns out some important enough software depends on it... > Since upgrading to OpenBSD 6.8, a machine running the bacula-client > backup package has been throwing "unable to get local issuer > certificate" warnings. With the same certs and configuration on OpenBSD > 6.7, backups ran to completion without errors warnings. OpenBSD 6.8 not only enabled the TLSv1.3 server in libssl, but it also includes a new X.509 verifier in libcrypto [1]. This verifier has a completely new design to fix major issues with the old one. There are some bugs, and in some corner cases we don't match the behavior of the old one. Much of this API is undocumented, and we fail to replicate behavior parts the ecosystem relies on. The issue you are seeing is known [2] and should be fixed in -current. The most important pieces of the puzzle are in [3] and [4]. We will see about how best to deal with this and with other problems in 6.8 fairly soon. I don't think you can eliminate this warning without changing either libcrypto or your setup. [1]: https://undeadly.org/cgi?action=article;sid=20200921105847 [2]: https://github.com/znc/znc/issues/1763 [3]: https://marc.info/?l=openbsd-cvs&m=160546290826930&w=2 [4]: https://marc.info/?l=openbsd-cvs&m=160512059417991&w=2
