On Thu, Jan 14, 2021 at 02:20:38PM +0100, Theo Buehler wrote: > On Thu, Jan 14, 2021 at 01:32:41PM +0100, Matthieu Herrb wrote: > > Hi, > > > > I'm trying to debug strange beahaviour changes with certificates on a > > systemc after upgrading it from 6.7 to 6.8... > > > > On 6.7, If I run : > > > > openssl s_server -cert mycert.pem -key mykey.pem -CAfile CA.pem > > > > then openssl s_client -showcerts -connect localhost:4433 > > > > returns the full certificate chain mycert->CA > > > > With the same commands on 6.8, I don't get the CA certificate. > > > > Is this a known issue, and how can I get the chain with 6.8 ? > > > > (my real application is sendmail...) > > In short: Yes, this is known. You can't get the chain in 6.8. > > This is the reason why ajacoutot switched sendmail to link against > eopenssl11 as a workaround in -stable. As your thread on ports shows, > this workaround doesn't work if you add something that links against > LibreSSL to the mix. > > There are several layers of unexpected things/bugs involved. The two > main points are: > > 1. The TLSv1.3 server in 6.8 does not do auto chain since we hoped to > be able to avoid it. This was addressed post release when people > using OpenLDAP ran into it. > https://cvsweb.openbsd.org/src/lib/libssl/tls13_server.c#rev1.62 > > 2. The new verifier doesn't behave as it should when auto chain is > enabled. As a workaround -current switches to the legacy verifier in > this situation for about a week now. The proper fix in the new > verifier is under discussion. > https://cvsweb.openbsd.org/src/lib/libssl/tls13_server.c#rev1.65 > > I don't know whether/when there will be backports of some fixes to 6.8. > As sthen said in the thread on ports, right now the simplest fix is to > run -current.
Ok, thanks. Not the easiest for me, but I wont try to build a frankenstein system. In the mean time it looks like switching to insecure ldap connections for sendmail works (the ldap server is on localhost so the risk is not very high) -- Matthieu Herrb