Index | Thread | Search

From:
Mischa Peters <openbsd@mlst.nl>
Subject:
Re: LibreSSL changes in 7.5?
To:
Stuart Henderson <stu@spacehopper.org>
Cc:
Tech <tech@openbsd.org>
Date:
Sat, 6 Apr 2024 13:53:56 +0200

Download raw body.

Thread 
Hi Stuart,

> On 6 Apr 2024, at 12:27, Stuart Henderson <stu@spacehopper.org> wrote:
> 
> On 2024/04/06 11:51, Mischa wrote:
>> Hi All,
>> 
>> After the upgrade from 7.4 to 7.5 I am noticing a different
>> behavior with LibreSSL talking to a destination with a
>> self-signed certificate, in this case a Philips Hue Bridge.
> 
>> Certificate chain
>> 0 s:/C=NL/O=Philips Hue/CN=ecb5fafffe236588
>>   i:/C=NL/O=Philips Hue/CN=root-bridge
> 
> That's not self-signed (you would have the same for s: and i:)
> rather a cert signed by a private CA. A bit of searching found it:

Fair enough. At least not a known CA. :)

> -----BEGIN CERTIFICATE-----
> MIICMjCCAdigAwIBAgIUO7FSLbaxikuXAljzVaurLXWmFw4wCgYIKoZIzj0EAwIw
> OTELMAkGA1UEBhMCTkwxFDASBgNVBAoMC1BoaWxpcHMgSHVlMRQwEgYDVQQDDAty
> b290LWJyaWRnZTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMzgwMTE5MDMxNDA3WjA5
> MQswCQYDVQQGEwJOTDEUMBIGA1UECgwLUGhpbGlwcyBIdWUxFDASBgNVBAMMC3Jv
> b3QtYnJpZGdlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjNw2tx2AplOf9x86
> aTdvEcL1FU65QDxziKvBpW9XXSIcibAeQiKxegpq8Exbr9v6LBnYbna2VcaK0G22
> jOKkTqOBuTCBtjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
> HQ4EFgQUZ2ONTFrDT6o8ItRnKfqWKnHFGmQwdAYDVR0jBG0wa4AUZ2ONTFrDT6o8
> ItRnKfqWKnHFGmShPaQ7MDkxCzAJBgNVBAYTAk5MMRQwEgYDVQQKDAtQaGlsaXBz
> IEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2WCFDuxUi22sYpLlwJY81Wrqy11phcO
> MAoGCCqGSM49BAMCA0gAMEUCIEBYYEOsa07TH7E5MJnGw557lVkORgit2Rm1h3B2
> sFgDAiEA1Fj/C3AN5psFMjo0//mrQebo0eKd3aWRx+pQY08mk48=
> -----END CERTIFICATE-----
> 
> I would have expected 'ftp -S dont' to work anyway, but perhaps there's
> something in the server cert breaking that (I wonder about basic
> constraints CA:false).
> 
> But, to actually get things working, you could try saving that CA cert
> to a file and using it with cafile.

Will give that a go. 

> Also: does curl -k work? (wondering if it's just libtls or wider).

% curl -k https://10.0.0.51/api/
curl: (35) LibreSSL/3.9.0: error:1400A13E:SSL routines:CONNECT_CR_CERT_REQ:ecc cert not for signing

Same result. 
I started seeing this with my Perl script which I am using for Hue automation. 

Mischa