From owner-freebsd-current@freebsd.org  Tue Feb  2 00:48:56 2021
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2D5EF4EF2B8
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Tue,  2 Feb 2021 00:48:56 +0000 (UTC) (envelope-from kaduk@mit.edu)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DV5m80MrJz3l93;
 Tue,  2 Feb 2021 00:48:55 +0000 (UTC) (envelope-from kaduk@mit.edu)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56)
 (User authenticated as kaduk@ATHENA.MIT.EDU)
 by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1120mnHG011544
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 1 Feb 2021 19:48:54 -0500
Date: Mon, 1 Feb 2021 16:48:49 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>,
 Jung-uk Kim <jkim@freebsd.org>
Subject: Re: openssl in head returning "certificate expired" when it has not
 expired
Message-ID: <20210202004849.GJ21@kduck.mit.edu>
References: <YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YQXPR0101MB09681F6F58AE1EF74B5F6998DDB69@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
X-Rspamd-Queue-Id: 4DV5m80MrJz3l93
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 00:48:56 -0000

On Tue, Feb 02, 2021 at 12:46:25AM +0000, Rick Macklem wrote:
> I've recently been testing the daemons that do the
> non-application data stuff for nfs-over-tls with the
> openssl in head.
> 
> These daemons work fine with both ports/security/openssl (openssl-1.1.1h)
> and ports/security/openssl-devel (openssl3-alpha).
> 
> However, when linked to the openssl in head, the basic handshake
> and KTLS works, but the peer certificate from the client is reported
> as expired by SSL_get_verify_result(), although it is still valid.
> I added some debug output and the "notAfter" field of the
> certificate looks correct, so the certificate doesn't seem to be
> corrupted.
> 
> I tried backporting the changes in crypto/x509 in head back
> into ports/security/openssl and it still worked, so those changes
> do not seem to have caused the problem.
> There are several differences in the configured options, but I cannot
> see any other differences between ports/security/openssl and
> what is in head that could cause this.
> (The options that differ seem related to old encryption types, etc.)
> 
> Any other ideas for tracking this down?

Is it perhaps related to https://github.com/openssl/openssl/issues/14036 ?

-Ben