On Fri, Mar 19, 2021 at 04:56:11PM +0000, Stuart Henderson wrote:
> In gmane.os.openbsd.misc, li...@y42.org wrote:
> >
> > Hi All,
> >
> > What would cause pkg_add -u to report this error?
> >> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake
> >> failure: ocsp verify failed: Undefined error: 0
> >> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
> >> Couldn't find updates for ... a long list of (all?) installed packages ...
> >
> > Error 0?
>
> There is some problem doing OCSP validation. It validates OK with openssl
> 1.0.2u and 1.1.1j but not with libressl. DFN run their own PKI and OCSP
> responder so it might hit some edge case that isn't seen with other
> responders.
I missed a typo in tobhe's diff. This fixes it for me.
Index: x509/x509_purp.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_purp.c,v
retrieving revision 1.3
diff -u -p -r1.3 x509_purp.c
--- x509/x509_purp.c 13 Mar 2021 23:01:49 -0000 1.3
+++ x509/x509_purp.c 19 Mar 2021 17:21:29 -0000
@@ -571,7 +571,7 @@ x509v3_cache_extensions(X509 *x)
if (x->skid == NULL && i != -1)
x->ex_flags |= EXFLAG_INVALID;
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
- if (x->skid == NULL && i != -1)
+ if (x->akid == NULL && i != -1)
x->ex_flags |= EXFLAG_INVALID;
/* Does subject name match issuer? */
