> On 6 Apr 2024, at 13:15, Theo Buehler <tb@theobuehler.org> wrote:
> 
> On Sat, Apr 06, 2024 at 11:25:41AM +0100, Stuart Henderson wrote:
>>> On 2024/04/06 11:51, Mischa wrote:
>>> Hi All,
>>> 
>>> After the upgrade from 7.4 to 7.5 I am noticing a different
>>> behavior with LibreSSL talking to a destination with a
>>> self-signed certificate, in this case a Philips Hue Bridge.
>> 
>>> Certificate chain
>>> 0 s:/C=NL/O=Philips Hue/CN=ecb5fafffe236588
>>>   i:/C=NL/O=Philips Hue/CN=root-bridge
>> 
>> That's not self-signed (you would have the same for s: and i:)
>> rather a cert signed by a private CA. A bit of searching found it:
>> 
>> -----BEGIN CERTIFICATE-----
>> MIICMjCCAdigAwIBAgIUO7FSLbaxikuXAljzVaurLXWmFw4wCgYIKoZIzj0EAwIw
>> OTELMAkGA1UEBhMCTkwxFDASBgNVBAoMC1BoaWxpcHMgSHVlMRQwEgYDVQQDDAty
>> b290LWJyaWRnZTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMzgwMTE5MDMxNDA3WjA5
>> MQswCQYDVQQGEwJOTDEUMBIGA1UECgwLUGhpbGlwcyBIdWUxFDASBgNVBAMMC3Jv
>> b3QtYnJpZGdlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjNw2tx2AplOf9x86
>> aTdvEcL1FU65QDxziKvBpW9XXSIcibAeQiKxegpq8Exbr9v6LBnYbna2VcaK0G22
>> jOKkTqOBuTCBtjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
>> HQ4EFgQUZ2ONTFrDT6o8ItRnKfqWKnHFGmQwdAYDVR0jBG0wa4AUZ2ONTFrDT6o8
>> ItRnKfqWKnHFGmShPaQ7MDkxCzAJBgNVBAYTAk5MMRQwEgYDVQQKDAtQaGlsaXBz
>> IEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2WCFDuxUi22sYpLlwJY81Wrqy11phcO
>> MAoGCCqGSM49BAMCA0gAMEUCIEBYYEOsa07TH7E5MJnGw557lVkORgit2Rm1h3B2
>> sFgDAiEA1Fj/C3AN5psFMjo0//mrQebo0eKd3aWRx+pQY08mk48=
>> -----END CERTIFICATE-----
>> 
>> I would have expected 'ftp -S dont' to work anyway, but perhaps there's
>> something in the server cert breaking that (I wonder about basic
>> constraints CA:false).
> 
> It's a server cert, not a CA cert, so these basic constraints seem
> correct. The cert looks good to me apart from the UTCTime vs
> GeneralizedTime issue.

What to do? :)

Mischa