On 11/16/2020 6:52 AM, Stuart Henderson wrote:
...actually I have now added a workaround to the databases/openldap port in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable packages and it should fix things.
Cool, I was actually already building from source in order to enable modules. I updated my ports tree and rebuilt, looks good now, thanks much for the quick fix.
It still does behave a little bit differently; under 6.7 it was including the root CA in the chain sent by the server, under 6.8 it is only including the intermediate, not the root. Which I actually prefer, as sending the root is a waste of time, the client needs to have that itself anyway in order to validate the chain in the first place.