Date: Tue, 2 Feb 2021 00:46:25 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: FreeBSD CURRENT <freebsd-current@freebsd.org> Cc: Jung-uk Kim <jkim@FreeBSD.org> Subject: openssl in head returning "certificate expired" when it has not expired Message-ID: <YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
I've recently been testing the daemons that do the non-application data stuff for nfs-over-tls with the openssl in head. These daemons work fine with both ports/security/openssl (openssl-1.1.1h) and ports/security/openssl-devel (openssl3-alpha). However, when linked to the openssl in head, the basic handshake and KTLS works, but the peer certificate from the client is reported as expired by SSL_get_verify_result(), although it is still valid. I added some debug output and the "notAfter" field of the certificate looks correct, so the certificate doesn't seem to be corrupted. I tried backporting the changes in crypto/x509 in head back into ports/security/openssl and it still worked, so those changes do not seem to have caused the problem. There are several differences in the configured options, but I cannot see any other differences between ports/security/openssl and what is in head that could cause this. (The options that differ seem related to old encryption types, etc.) Any other ideas for tracking this down? Thanks, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69>