> On Aug 21, 2020, at 5:21 PM, thorsten.hab...@findichgut.net wrote:
>
> By the way I already applied your last patch on the testing environment.
> No problems found so far. tafile and CApath based mandatory TLS delivery
> work just fine.
Thanks for the confirmation. Fortunately, the good news is not surprising,
the reason for the intermittent (more failure than success) problem you
were having, and only in tlsproxy(8) is clear from the patch. The wrong
TLS SSL_CTX was selected for "tafile" connections, it was shared with
normal WebPKI connections which raced the "tafile" connections to set
the correct verification callback.
With the symptoms fitting the bug so well, the confirmation is more of
a formality, but still good to have. Sorry it took a while to get here,
but the early messages in the thread had me focused on resumption, rather
than the initial verification failure, which was the real problem.
--
Viktor.
