From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: LibreSSL changes in 7.5?
To: Mischa <openbsd@mlst.nl>
Cc: Tech <tech@openbsd.org>
Date: Sat, 6 Apr 2024 11:25:41 +0100

On 2024/04/06 11:51, Mischa wrote:
> Hi All,
> 
> After the upgrade from 7.4 to 7.5 I am noticing a different
> behavior with LibreSSL talking to a destination with a
> self-signed certificate, in this case a Philips Hue Bridge.

> Certificate chain
>  0 s:/C=NL/O=Philips Hue/CN=ecb5fafffe236588
>    i:/C=NL/O=Philips Hue/CN=root-bridge

That's not self-signed (you would have the same for s: and i:)
rather a cert signed by a private CA. A bit of searching found it:

-----BEGIN CERTIFICATE-----
MIICMjCCAdigAwIBAgIUO7FSLbaxikuXAljzVaurLXWmFw4wCgYIKoZIzj0EAwIw
OTELMAkGA1UEBhMCTkwxFDASBgNVBAoMC1BoaWxpcHMgSHVlMRQwEgYDVQQDDAty
b290LWJyaWRnZTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMzgwMTE5MDMxNDA3WjA5
MQswCQYDVQQGEwJOTDEUMBIGA1UECgwLUGhpbGlwcyBIdWUxFDASBgNVBAMMC3Jv
b3QtYnJpZGdlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjNw2tx2AplOf9x86
aTdvEcL1FU65QDxziKvBpW9XXSIcibAeQiKxegpq8Exbr9v6LBnYbna2VcaK0G22
jOKkTqOBuTCBtjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUZ2ONTFrDT6o8ItRnKfqWKnHFGmQwdAYDVR0jBG0wa4AUZ2ONTFrDT6o8
ItRnKfqWKnHFGmShPaQ7MDkxCzAJBgNVBAYTAk5MMRQwEgYDVQQKDAtQaGlsaXBz
IEh1ZTEUMBIGA1UEAwwLcm9vdC1icmlkZ2WCFDuxUi22sYpLlwJY81Wrqy11phcO
MAoGCCqGSM49BAMCA0gAMEUCIEBYYEOsa07TH7E5MJnGw557lVkORgit2Rm1h3B2
sFgDAiEA1Fj/C3AN5psFMjo0//mrQebo0eKd3aWRx+pQY08mk48=
-----END CERTIFICATE-----

I would have expected 'ftp -S dont' to work anyway, but perhaps there's
something in the server cert breaking that (I wonder about basic
constraints CA:false).

But, to actually get things working, you could try saving that CA cert
to a file and using it with cafile.

Also: does curl -k work? (wondering if it's just libtls or wider).