From owner-freebsd-current@freebsd.org Tue Feb 2 03:48:08 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE2834FBE2E for ; Tue, 2 Feb 2021 03:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on062e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DV9kw3yzQz3wMk; Tue, 2 Feb 2021 03:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QOKVAgG2dfLaWqIgH5a+AVr2mEycNXPbGKkWIq0s+D0hPiErUtiKO2kGf1NSVAJNsFb25Rw+GVL9uX8ACkzi7as4CZqtl2DvfRGNMREA3sDurf5/AgLIRvS6kQJF/BHte7BPsAV4e4Oetm097l3S06iEmT134WSXI8UK3bsKJj+pqTCtNcRBRrnR4R935gEEMW6nwzSh1aHvxS8rrIztRHbU7C5IRzOfeblxsTbrTXlksn4LfSxDOOy3IrBNVsKfppqPAa3WI4VFuJ2y8BIG7Yf/rcLycRHWrxBZfYdOr67Inpb63jgkJDmTVbS8IjmIBtFVHBgOYseltgg9s61NGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kyuGiG1fGNHK97BqJS9ZYznV9h0+lbj10lgVr55Vp2c=; b=P/FxpdVpRfeQ2i+I0Bnt+3mAeAuMkyVP/MAHomsCNYlMPmvXs0VRp4aFy7QX48IfwXaSbCMvHT6faeD3M4jINNd5emGV8srFYBqQFY/HLTIYLp6TVwRR71nS/Jx9LGXpIHWs3CG5MzYHWmcVWSqao57arOFoIXK2UJaefX44OzWl1nWs8fZJ/0UM0e5rjyeaPVhzZQaw070gmP1SZoLE2UkjVCyKMQGknGX4Tusmta76jboaziPR/ffgNMt6Sk4vECJz4Ig7PPW0Q3Wa2vosEbiCwPKEAN0AIIUsIoTJVqENLo2UnVGyXqhpradlS3SCl3G0fTeywt6vPtqXNMu+7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kyuGiG1fGNHK97BqJS9ZYznV9h0+lbj10lgVr55Vp2c=; b=neTAnCvkuvILP7NS2aNmVWZlTPJm8zqr6NA2d6AfCgv4hJZXy8UHlKa1HpGe4DI0PLTPrw0nHNBICnE50HEqqnH3D4f4l9A+lCRrnQr65Oq6F3Qy7CYVIQzK/dSQOED9XNaETSyXfefQL0+sGZGWVszEGcD1lP944VEf1MSK7RsO67yJ57bMjvzt/CivqUb5ZIBZMgmDv9vX6OKg/nVAL7hdQw1oAbeACc/XZE/7Jq7eBHkeljt/NmyS6c/a2cTnoEHYmaJHqE6/krzuzHB4TX+0mLfcbPvnIW5uN5bF/HQl9SELcUYaeIjpTAz2BLXk42DDgTlM75LUHZ1MbUtxyQ== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR0101MB2310.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:24::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.24; Tue, 2 Feb 2021 03:48:06 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a%7]) with mapi id 15.20.3805.025; Tue, 2 Feb 2021 03:48:06 +0000 From: Rick Macklem To: Benjamin Kaduk CC: FreeBSD CURRENT , Jung-uk Kim Subject: Re: openssl in head returning "certificate expired" when it has not expired Thread-Topic: openssl in head returning "certificate expired" when it has not expired Thread-Index: AQHW+PSDO1fy+BZTz0iDKT4NZkEY5apECG2AgAAvo0A= Date: Tue, 2 Feb 2021 03:48:06 +0000 Message-ID: References: , <20210202004849.GJ21@kduck.mit.edu> In-Reply-To: <20210202004849.GJ21@kduck.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8ebf2f5b-4633-4c4d-e22f-08d8c72d5991 x-ms-traffictypediagnostic: YQXPR0101MB2310: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6430; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: kEc472gFJcdixWD7i+CgRpuL3clZ0xeFU/zSEg/18r5WuhMY0JW9UxYybwnTEBqQiD35XnyofvbrX/2OGw4Sg8b33UakafzJFHYoYu4Ngs9mrzgbgl0/BHQH7b9pgwERm6Zer7Jlrs8XpNutoPIrI+BfHuO1kbNrskq3O1IIio1+wKeaH2ORMBGma4PwYY4ICXNQ8GTx4zbusHvaGcPeqxdDeF+8CO3XjjTymPC5ii0iXgmjuN0OrkQzpeivzzlO3rWWlYCKQzeg3xhwW1v7++SITtdsm4qAcIazeNF3VuVyP+3w0f6XgwZT5HJ92ZjRfM0QI9XDecHGT/s+GUexKs6UFwbKwEio6/hoByb1zBWpOjsg5bW1jCGJYOozN8w9jbKm+kKBVCqlqu+Vb09xbaPXRT08bBDzSpV5NnsIVhe+m9J3i1C/x+nP91GSX1QIzp7y4JGkaOMrTaFjJoCoXzELXiGkQO0kp4aRNsJGYv0JcFjLRkp5hKReZiAYU+LidyfAEzdmXa7xHwpzfkU1LovGGTLpEFYMSdKI9UnRXn7WiatiB7BLdwC1AMcNwRTi2iwdBPEYquny4YHNrDl0BPBCIuNHdKze4zJXkIfqk0I= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(396003)(39860400002)(376002)(136003)(366004)(6916009)(966005)(83380400001)(66446008)(2906002)(55016002)(786003)(8676002)(316002)(86362001)(478600001)(54906003)(8936002)(66946007)(66556008)(186003)(66476007)(64756008)(5660300002)(9686003)(4326008)(33656002)(76116006)(7696005)(71200400001)(6506007)(52536014)(91956017); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?r74Nrty6+eoW6v+SGoP5nVdU8WGVc/shGgxBhH9OimsTPK/NZaPJCVIHBX?= =?iso-8859-1?Q?b27g9wV7XMAqzpDf+wdpXyhBBlyaSlGnlPsdzJKQKdhJ1CrUrmNy0ZG0bD?= =?iso-8859-1?Q?mIytpo65NQ2ry+n4AsaJAJQhJxADdr1FwlRcGLWSb2Q06s2tYbW8I6Kfz/?= =?iso-8859-1?Q?5ZRMeMWePcsfwB0XfY7L9ep83mWvMvB6Xo8DxurPGtwSJgAGSuqQFsk55D?= =?iso-8859-1?Q?1ZYVGnRW+DZHWdnsoDKNF3vLEzk24v7imNTm+ldQdMO9mYYUPe1OQv1JNB?= =?iso-8859-1?Q?pRIpiNG87vT77/QMyvbjViigWx1mBikTGqhymRx/3jJy5yVDroe2rFVHy6?= =?iso-8859-1?Q?XQli6xgPzKo2Ce4jukowvKFFtgaoJEWZO+F02XdvA2cGAVI0XGSWg+Mjjh?= =?iso-8859-1?Q?H3NMZG7c4+tDJTeS8Vsgo5pg0V/P9vXWA0ahYyKhSW5NC2Dg6bPpWT+Xkl?= =?iso-8859-1?Q?YMsLsqyLmyzovI683aVLH6nnALZqf0xjYviJF62Ktl1JGLIrAcL72Q5AO7?= =?iso-8859-1?Q?p4KpVcZ6NaiDyw1BFjxhnO19jURGfpiTsR7GudfJf1uIsQGXliuzhojkdu?= =?iso-8859-1?Q?GjFNLAMQo1ubxPrfs6UHoHNEMffp4kjgFIQ6VM8sHF1VB0FQ9bYhoBexKA?= =?iso-8859-1?Q?U1nl1Xhgg3uRe+TAnYVxv/3rQSV/xK/GzkJpWRdxwD9oBydzh9mzUkzwyq?= =?iso-8859-1?Q?NYX++RBoFIa6OSzW2I0F35DikawswYN46ZBLnjJ/pr+syMql4RlDIveVXU?= =?iso-8859-1?Q?pHBdSs5mF3x6eV+x27VAYWE2anlEUNYWeTwv4lAFCQO3UZpqVDDlBmKCTm?= =?iso-8859-1?Q?01Fq1ZVfQLwTKTxT7fpR4hKCFfLDTEEXWoOQhNpwxybdM0kExW+HqB7xcx?= =?iso-8859-1?Q?KKPzcWuunPPVP2OElNp4fwXtsrT2DR0v44gLy5OTW4RQ7g2u92Ayv8T2mw?= =?iso-8859-1?Q?GT9T4rH0F7HbuKbCttkNWtjlH6t1Jsbx6cs/Am5X8jNC/t/C29Qvr5GgDg?= =?iso-8859-1?Q?vG+WSS+OkDr6StqENiZP2AYPpIkriqItYi+zUnYkaXlN12gtsnul4wHbGd?= =?iso-8859-1?Q?L6ndZv0oP7WmaEmXGttFEq2LAiRQ3vTzw0LwW/FIgn0IArbU1QAEjr9vSP?= =?iso-8859-1?Q?LTsxACzEZxaBBEIQtWJJxS53ciRs0=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 8ebf2f5b-4633-4c4d-e22f-08d8c72d5991 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2021 03:48:06.2414 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Y5uf3LjvQCMv0+ROZHOywWLDu+FKW+VdVRx/T4K+Q8GCrMIpRmLkrxhxGlhnPdFjw/bI1nlHzJV6jqmWobm+Yg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR0101MB2310 X-Rspamd-Queue-Id: 4DV9kw3yzQz3wMk X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2021 03:48:08 -0000 Benjamin Kaduk wrote:=0A= >On Tue, Feb 02, 2021 at 12:46:25AM +0000, Rick Macklem wrote:=0A= >> I've recently been testing the daemons that do the=0A= >> non-application data stuff for nfs-over-tls with the=0A= >> openssl in head.=0A= >>=0A= >> These daemons work fine with both ports/security/openssl (openssl-1.1.1h= )=0A= >> and ports/security/openssl-devel (openssl3-alpha).=0A= >>=0A= >> However, when linked to the openssl in head, the basic handshake=0A= >> and KTLS works, but the peer certificate from the client is reported=0A= >> as expired by SSL_get_verify_result(), although it is still valid.=0A= >> I added some debug output and the "notAfter" field of the=0A= >> certificate looks correct, so the certificate doesn't seem to be=0A= >> corrupted.=0A= >>=0A= >> I tried backporting the changes in crypto/x509 in head back=0A= >> into ports/security/openssl and it still worked, so those changes=0A= >> do not seem to have caused the problem.=0A= >> There are several differences in the configured options, but I cannot=0A= >> see any other differences between ports/security/openssl and=0A= >> what is in head that could cause this.=0A= >> (The options that differ seem related to old encryption types, etc.)=0A= >>=0A= >> Any other ideas for tracking this down?=0A= >=0A= >Is it perhaps related to https://github.com/openssl/openssl/issues/14036 ?= =0A= Well, it is definitely due to a change in behaviour between 1.1.1h and 1.1.= 1i.=0A= I notices that ports/security/openssl has been upgraded to 1.1.1i and it=0A= exhibits the "expired" behaviour.=0A= =0A= However, in my case, the certificate has not expired.=0A= The notAfter date is in 2022, but SSL_get_verify_results() returns=0A= X509_V_ERR_CERT_HAS_EXPIRED.=0A= =0A= rick=0A= =0A= -Ben=0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A= =0A=