On 11/18/20 8:11 PM, Theo Buehler wrote:
> On Wed, Nov 18, 2020 at 03:16:57PM -0800, David Newman wrote:
>> Do recent complaints about certificate chains [1] [2] also apply when a
>> client running OpenBSD 6.8 uses a self-signed cert, and there are no
>> intermediate certs?
>
> This is unrelated. The complaints you mention are due to a deliberate
> difference between the old TLS stack and the new TLSv1.3 stack that was
> enabled server side in OpenBSD 6.8. We hoped that we could get away
> without auto chain but as it turns out some important enough software
> depends on it...
>
>> Since upgrading to OpenBSD 6.8, a machine running the bacula-client
>> backup package has been throwing "unable to get local issuer
>> certificate" warnings. With the same certs and configuration on OpenBSD
>> 6.7, backups ran to completion without errors warnings.
>
> OpenBSD 6.8 not only enabled the TLSv1.3 server in libssl, but it also
> includes a new X.509 verifier in libcrypto [1]. This verifier has a
> completely new design to fix major issues with the old one. There are
> some bugs, and in some corner cases we don't match the behavior of the
> old one. Much of this API is undocumented, and we fail to replicate
> behavior parts the ecosystem relies on.
>
> The issue you are seeing is known [2] and should be fixed in -current.
> The most important pieces of the puzzle are in [3] and [4]. We will see
> about how best to deal with this and with other problems in 6.8 fairly
> soon.
>
> I don't think you can eliminate this warning without changing either
> libcrypto or your setup.
Thanks, Theo. Your explanation is very clear and I now understand the
source of the warning.
dn
>
> [1]: https://undeadly.org/cgi?action=article;sid=20200921105847
> [2]: https://github.com/znc/znc/issues/1763
> [3]: https://marc.info/?l=openbsd-cvs&m=160546290826930&w=2
> [4]: https://marc.info/?l=openbsd-cvs&m=160512059417991&w=2
>
