If you run the not-yet-enabled-by-default OpenBSD CI task on master, ssl/001_ssltests fails in "intermediate client certificate is untrusted", recently uncommented by commit e0f373ee. I think it might be telling us that LibreSSL's x509_store_ctx_get_current_cert() is giving us the client certificate (ie chain depth 0) instead of the intermediate certificate, even though X509_STORE_CTX_get_error_depth() returned 1 as expected. I don't know why it would do that, given the documentation:
X509_STORE_CTX_get_current_cert() returns the certificate in ctx which caused the error or NULL if no certificate is relevant. The explanation is probably in here somewhere, but I don't understand these things: https://github.com/openbsd/src/blob/master/lib/libcrypto/x509/x509_vfy.c https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vfy.c [17:55:28.888] # Failed test 'intermediate client certificate is untrusted: log matches' [17:55:28.888] # at /home/postgres/postgres/src/test/perl/PostgreSQL/Test/Cluster.pm line 2667. [17:55:28.888] # '2025-05-05 17:55:28.353 UTC [10009][postmaster] DEBUG: assigned pm child slot 1 for backend [17:55:28.888] # 2025-05-05 17:55:28.354 UTC [10009][postmaster] DEBUG: forked new client backend, pid=27624 socket=8 [17:55:28.888] # 2025-05-05 17:55:28.355 UTC [27624][not initialized] [[unknown]][:0] LOG: connection received: host=localhost port=11357 [17:55:28.888] # 2025-05-05 17:55:28.374 UTC [27624][not initialized] [[unknown]][:0] LOG: could not accept SSL connection: certificate verify failed [17:55:28.888] # 2025-05-05 17:55:28.374 UTC [27624][not initialized] [[unknown]][:0] DETAIL: Client certificate verification failed at depth 1: unable to get local issuer certificate. [17:55:28.888] # Failed certificate data (unverified): subject "/CN=ssltestuser", serial number 2315702411956921344, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs". [17:55:28.888] # 2025-05-05 17:55:28.374 UTC [27624][not initialized] [[unknown]][:0] DEBUG: SSL connection from DN:"(anonymous)" CN:"(anonymous)" [17:55:28.888] # 2025-05-05 17:55:28.377 UTC [10009][postmaster] DEBUG: releasing pm child slot 1 [17:55:28.888] # 2025-05-05 17:55:28.377 UTC [10009][postmaster] DEBUG: client backend (PID 27624) exited with exit code 0 [17:55:28.888] # ' [17:55:28.888] # doesn't match '(?^:Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number \d+, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite")' [17:55:28.888] # Looks like you failed 1 test of 240. https://cirrus-ci.com/task/4708964002168832?logs=test_world#L345 https://api.cirrus-ci.com/v1/artifact/task/4708964002168832/testrun/build/testrun/ssl/001_ssltests/log/regress_log_001_ssltests https://api.cirrus-ci.com/v1/artifact/task/4708964002168832/testrun/build/testrun/ssl/001_ssltests/log/001_ssltests_primary.log
