I once had incorrect VM time causing OCSP response like it was out of date, and syspatch refused in a similar way. But different than your situation I think.
V/r, Bryan On Fri, Jan 12, 2018 at 7:19 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2018-01-12, dmitry.sensei <dmitry.sen...@gmail.com> wrote: > > Strange message from syspatch: > > # syspatch > > ftp: SSL write error: no OCSP URLs in peer certificate > > # > > Simplest workaround is to download the files yourself and use a local > url in /etc/installurl, e.g. file:///tmp/syspatch. > > > what does this message mean and what to check? > > > > OpenBSD 6.2-stable GENERIC.MP#2 amd64 > > > > we have a fortinet in the middle. Previously, it did not interfere with > the > > utility, since I added its certificate > > Most likely the fortinet doesn't include any OCSP URL in its MITM > certificate, but just to be sure, which mirror? (cat /etc/installurl), > and what's in the cert? > > $ openssl s_client -connect $hostname:443 -servername $hostname > > then copy the server cert and paste into "openssl x509 -text -noout". > > CA/B Forum requires an OCSP URL in certs unless stapling is used. But I > don't see how a CA is going to know whether stapling is used so I would > expect certs from the cabal to always have this set so we're unlikely to > run into this with normal servers. So, although we're unlikely to bump > into problems with this code without MITM, I think libtls may be going > a little beyond usual requirements in needing this. > >