Download raw body.
LibreSSL changes in 7.5?
Hi All,
After the upgrade from 7.4 to 7.5 I am noticing a different behavior
with LibreSSL talking to a destination with a self-signed certificate,
in this case a Philips Hue Bridge.
On 7.4 I am getting the following:
###
mischa@zima:~ $ uname -a
OpenBSD zima.local.on16.nl 7.4 GENERIC.MP#1397 amd64
mischa@zima:~ $ ftp https://10.0.0.51/api
Trying 10.0.0.51...
TLS handshake failure: certificate verification failed: unable to get
local issuer certificate
mischa@zima:~ $ ftp -Sdont https://10.0.0.51/api
Trying 10.0.0.51...
Requesting https://10.0.0.51/api
95 bytes received in 0.00 seconds (187.97 KB/s)
mischa@zima:~ $ openssl s_client -showcerts -connect 10.0.0.51:443
</dev/null
CONNECTED(00000003)
depth=0 C = NL, O = Philips Hue, CN = ecb5fafffe236588
verify error:num=20:unable to get local issuer certificate
verify return:1
---
Certificate chain
0 s:/C=NL/O=Philips Hue/CN=ecb5fafffe236588
i:/C=NL/O=Philips Hue/CN=root-bridge
-----BEGIN CERTIFICATE-----
MIICPjCCAeSgAwIBAgIJAOy1+v/+I2WIMAoGCCqGSM49BAMCMDkxCzAJBgNVBAYT
Ak5MMRQwEgYDVQQKDAtQaGlsaXBzIEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2Uw
IhgPMjAxNzAxMDEwMDAwMDBaGA8yMDM4MDExOTAzMTQwN1owPjELMAkGA1UEBhMC
TkwxFDASBgNVBAoMC1BoaWxpcHMgSHVlMRkwFwYDVQQDDBBlY2I1ZmFmZmZlMjM2
NTg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAQMY8V0BUIhXtQfAwMPwqH+2
EyYnNCo9QhpPN93bJIWjppu0DyVUBzXY6rCyMD506mtSN4EsqH/3SHSPKnKD8KOB
yzCByDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggr
BgEFBQcDATAdBgNVHQ4EFgQU1s7ZbOFXYZSJLKhsXrPY072icg4wdAYDVR0jBG0w
a4AUZ2ONTFrDT6o8ItRnKfqWKnHFGmShPaQ7MDkxCzAJBgNVBAYTAk5MMRQwEgYD
VQQKDAtQaGlsaXBzIEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2WCFDuxUi22sYpL
lwJY81Wrqy11phcOMAoGCCqGSM49BAMCA0gAMEUCIQCdQ2Sfn2t+OBGzDkB59OQO
6YWwvJ66Q/VZoOyQaCsd3QIgNxpIOEJK3Tk3NTTfCkQOB+vTm285dgGNQ+5Ps3EL
Ni4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=NL/O=Philips Hue/CN=ecb5fafffe236588
issuer=/C=NL/O=Philips Hue/CN=root-bridge
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1063 bytes and written 407 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID:
ECC41882A79CAA0A227DFFE63C008559B0101AED66EF0E130E4D1A2DFBF4C9C9
Session-ID-ctx:
Master-Key:
C9873D5DCF6B8422DE3D5B82C1C984BD873AA1ABE1A55D91CDC48E53F746BC9EC6EC4C315CDBD473D8DC9E2C785C3E9F
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 37 eb 6f d3 95 88 73 54-96 70 23 e9 3b 80 de 33
7.o...sT.p#.;..3
0010 - b5 20 99 f9 df 6b 3a 32-66 a7 8e 90 b6 e7 d8 ba .
...k:2f.......
0020 - 08 af 87 d1 8b 66 28 93-15 51 33 d6 40 f1 67 23
.....f(..Q3.@.g#
0030 - 78 6f f9 18 a4 0b 9f 00-71 34 ea 26 ec c8 69 f5
xo......q4.&..i.
0040 - e0 44 bb c2 fd 2f c6 9c-7e 41 ad a7 a6 4e 81 2a
.D.../..~A...N.*
0050 - 30 97 d2 3c f1 ba 9d b5-4a e3 af 37 66 61 e6 d4
0..<....J..7fa..
0060 - fe 02 20 74 aa 90 ac 50-07 26 21 e2 41 82 22 9b ..
t...P.&!.A.".
0070 - 0c 60 1c e8 0d 81 a3 ff-0e 44 ba e5 4a e2 84 5f
.`.......D..J.._
0080 - 85 2f 4d 49 9f fc a4 98-9b 72 86 fa 37 c8 66 97
./MI.....r..7.f.
0090 - b7 e6 ba d9 53 e8 bf 68-0d 52 75 37 63 6b ce 0b
....S..h.Ru7ck..
00a0 - bc 33 6c 98 2e e0 46 94-41 85 38 fe 24 99 7f 83
.3l...F.A.8.$...
Start Time: 1712396807
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
###
On a freshly upgraded host to 7.5 I am getting:
###
mischa@m720q:~ $ uname -a
OpenBSD m720q.on16.nl 7.5 GENERIC.MP#82 amd64
mischa@m720q:~ $ ftp https://10.0.0.51/api
Trying 10.0.0.51...
TLS handshake failure: certificate verification failed: unable to get
local issuer certificate
mischa@m720q:~ $ ftp -Sdont https://10.0.0.51/api
Trying 10.0.0.51...
TLS handshake failure: handshake failed: error:1400A13E:SSL
routines:CONNECT_CR_CERT_REQ:ecc cert not for signing
mischa@m720q:~ $ openssl s_client -showcerts -connect 10.0.0.51:443
</dev/null
CONNECTED(00000003)
depth=0 C = NL, O = Philips Hue, CN = ecb5fafffe236588
verify error:num=20:unable to get local issuer certificate
verify return:1
2967084792184:error:1400A13E:SSL routines:CONNECT_CR_CERT_REQ:ecc cert
not for signing:/usr/src/lib/libssl/ssl_lib.c:2336:
2967084792184:error:1400A130:SSL routines:CONNECT_CR_CERT_REQ:bad ecc
cert:/usr/src/lib/libssl/ssl_clnt.c:2252:
---
Certificate chain
0 s:/C=NL/O=Philips Hue/CN=ecb5fafffe236588
i:/C=NL/O=Philips Hue/CN=root-bridge
-----BEGIN CERTIFICATE-----
MIICPjCCAeSgAwIBAgIJAOy1+v/+I2WIMAoGCCqGSM49BAMCMDkxCzAJBgNVBAYT
Ak5MMRQwEgYDVQQKDAtQaGlsaXBzIEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2Uw
IhgPMjAxNzAxMDEwMDAwMDBaGA8yMDM4MDExOTAzMTQwN1owPjELMAkGA1UEBhMC
TkwxFDASBgNVBAoMC1BoaWxpcHMgSHVlMRkwFwYDVQQDDBBlY2I1ZmFmZmZlMjM2
NTg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAQMY8V0BUIhXtQfAwMPwqH+2
EyYnNCo9QhpPN93bJIWjppu0DyVUBzXY6rCyMD506mtSN4EsqH/3SHSPKnKD8KOB
yzCByDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggr
BgEFBQcDATAdBgNVHQ4EFgQU1s7ZbOFXYZSJLKhsXrPY072icg4wdAYDVR0jBG0w
a4AUZ2ONTFrDT6o8ItRnKfqWKnHFGmShPaQ7MDkxCzAJBgNVBAYTAk5MMRQwEgYD
VQQKDAtQaGlsaXBzIEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2WCFDuxUi22sYpL
lwJY81Wrqy11phcOMAoGCCqGSM49BAMCA0gAMEUCIQCdQ2Sfn2t+OBGzDkB59OQO
6YWwvJ66Q/VZoOyQaCsd3QIgNxpIOEJK3Tk3NTTfCkQOB+vTm285dgGNQ+5Ps3EL
Ni4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=NL/O=Philips Hue/CN=ecb5fafffe236588
issuer=/C=NL/O=Philips Hue/CN=root-bridge
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 812 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1712396824
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
###
Anything else I can check or do to troubleshoot further?
Mischa
LibreSSL changes in 7.5?