On 20-02-01 11:19:21, Stuart Henderson wrote: > Currently known libressl problems: > > > #1: https://bitbucket.org https://mirror.vdms.com https://ftp.postgresql.org > fail with: > > Error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure > occurred
This is a known issue related to Hello Retry Requests - I have code ready to address it, however it still needs finialising and review. In the interim I've disabled the TLSv1.3 client and we'll re-enable it once the currently known issues have been addressed. > #2: The "Provide struct/functions for handling TLSv1.3 key shares" commit > breaks > server side for non-libressl clients, including if 1.3 is disabled. ssl alert, > decode_error. This is nasty for servers on -current. > > backout: > > cd /usr/src/lib/libssl > ftp -o- > 'https://github.com/openbsd/src/commit/4673309b7add502ba4c75a5eed0b550a38c0a8b1.patch' > | patch -R I've just committed a fix for this. > #3: libtls session resumption is broken with 1.3. This is used by default in > pkg_add and breaks 5 openbsd mirrors. tb@ has a diff or we can disable "-S > session" in pkg_add for now if needed. > > rm /tmp/sess > ftp -S session=/tmp/sess -o/dev/null > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ > ftp -S session=/tmp/sess -o/dev/null > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ There are a couple of bugs here, however it should no longer be an issue with TLSv1.3 client disabled. > If you are running into big problems with #1 and #3 rebuild libssl with > "#define LIBRESSL_HAS_TLS1_3_CLIENT" commented out in ssl_locl.h. >
