Date: Tue, 2 Feb 2021 00:46:25 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: FreeBSD CURRENT <freebsd-current@freebsd.org> Cc: Jung-uk Kim <jkim@FreeBSD.org> Subject: openssl in head returning "certificate expired" when it has not expired Message-ID: <YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
I've recently been testing the daemons that do the=0A= non-application data stuff for nfs-over-tls with the=0A= openssl in head.=0A= =0A= These daemons work fine with both ports/security/openssl (openssl-1.1.1h)= =0A= and ports/security/openssl-devel (openssl3-alpha).=0A= =0A= However, when linked to the openssl in head, the basic handshake=0A= and KTLS works, but the peer certificate from the client is reported=0A= as expired by SSL_get_verify_result(), although it is still valid.=0A= I added some debug output and the "notAfter" field of the=0A= certificate looks correct, so the certificate doesn't seem to be=0A= corrupted.=0A= =0A= I tried backporting the changes in crypto/x509 in head back=0A= into ports/security/openssl and it still worked, so those changes=0A= do not seem to have caused the problem.=0A= There are several differences in the configured options, but I cannot=0A= see any other differences between ports/security/openssl and=0A= what is in head that could cause this.=0A= (The options that differ seem related to old encryption types, etc.)=0A= =0A= Any other ideas for tracking this down?=0A= =0A= Thanks, rick=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69>