From owner-freebsd-ports-bugs@freebsd.org Mon May 13 00:21:16 2019 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8E0515A66AE for ; Mon, 13 May 2019 00:21:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4EBB390445 for ; Mon, 13 May 2019 00:21:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 0FCE915A66AA; Mon, 13 May 2019 00:21:16 +0000 (UTC) Delivered-To: ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C70F615A66A8 for ; Mon, 13 May 2019 00:21:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6300190441 for ; Mon, 13 May 2019 00:21:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 0C9D412E8 for ; Mon, 13 May 2019 00:21:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x4D0LDVf046242 for ; Mon, 13 May 2019 00:21:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x4D0LDCl046232 for ports-bugs@FreeBSD.org; Mon, 13 May 2019 00:21:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1 Date: Mon, 13 May 2019 00:21:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: info@eliasohm.de X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2019 00:21:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237757 --- Comment #5 from Elias Ohm --- I do not exactly now why to use LibreSSL instead of OpenSSL, but anyway had= a look on hat issue yust for interest. I din't check commit history for LireSSL 2.9.1, but eighter - the cause for bringing that up now ist just this one ` - Implemented further missing OpenSSL 1.1 API.` (implemented API function SSL_CTX_set0_chain_certs) if this function is defined new then nginx just switches to use this functi= on which referes to a chain attached to a certificate in the context instead o= f an extra chain available at the context.. Whereas the parts in nginx that reads the chain did not implement the get-counter part but sticked at the OpenSSL 1.0.1 function SSL_CTX_get_extra_chain_certs). the function is implemented differently in OpenSSL and LibreSSL, OpenSSL falls back to the certificate chain if no extra chain is present so never fall about the inconsitency in nginx Code where LibreSSL implemented that function with the semantics of t= he OpenSSL SSL_CTX_get_extra_chain_certs_only (so no fallback to the certifica= te chain) - or LibreSSL now decided to to Change sematics of SSL_CTX_get_extra_chain_certs to that of the OpenSSLs SSL_CTX_get_extra_chain_certs_only=E2=80=A6 In effect the certificate chain has been stored on the chain field belongin= g to the certificate but for the stapling check it tried to read that from the extra_chain (so getting no certificate to verify and passing empty value for chain to OCSP_basic_verify, resulting in "signer certificate not found"... So if You want to have it work You can try with attached patch. I also submitted it to nginx directly as this is a thing that should be generally fixed (even when it's working with OpenSSL it's not fine to not u= se the correct counter parts of newly implemeted interfaces). --=20 You are receiving this mail because: You are the assignee for the bug.=