On Thu, Jan 14, 2021 at 01:32:41PM +0100, Matthieu Herrb wrote: > Hi, > > I'm trying to debug strange beahaviour changes with certificates on a > systemc after upgrading it from 6.7 to 6.8... > > On 6.7, If I run : > > openssl s_server -cert mycert.pem -key mykey.pem -CAfile CA.pem > > then openssl s_client -showcerts -connect localhost:4433 > > returns the full certificate chain mycert->CA > > With the same commands on 6.8, I don't get the CA certificate. > > Is this a known issue, and how can I get the chain with 6.8 ? > > (my real application is sendmail...)
In short: Yes, this is known. You can't get the chain in 6.8. This is the reason why ajacoutot switched sendmail to link against eopenssl11 as a workaround in -stable. As your thread on ports shows, this workaround doesn't work if you add something that links against LibreSSL to the mix. There are several layers of unexpected things/bugs involved. The two main points are: 1. The TLSv1.3 server in 6.8 does not do auto chain since we hoped to be able to avoid it. This was addressed post release when people using OpenLDAP ran into it. https://cvsweb.openbsd.org/src/lib/libssl/tls13_server.c#rev1.62 2. The new verifier doesn't behave as it should when auto chain is enabled. As a workaround -current switches to the legacy verifier in this situation for about a week now. The proper fix in the new verifier is under discussion. https://cvsweb.openbsd.org/src/lib/libssl/tls13_server.c#rev1.65 I don't know whether/when there will be backports of some fixes to 6.8. As sthen said in the thread on ports, right now the simplest fix is to run -current.