From owner-freebsd-current@freebsd.org Tue Feb 2 15:13:51 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7722A534DB0 for ; Tue, 2 Feb 2021 15:13:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660056.outbound.protection.outlook.com [40.107.66.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DVSy725h2z3QHH; Tue, 2 Feb 2021 15:13:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J2iQDFrsCWtWsodUoOgTOghlrOkVL0zBO3WCZIC5uYf9XL5IsUIkpf+XWAf14rhpmYaKmrJShQaLoKuwjo4ZTABTqwD9/ArElVJk2kp+9reyGF16M/lW34tG7vBa034lISA4wRAaF1mx8+9IrXsFuHC1gjjZ+T/jWQw3U1GVBItXWnUSY2PZQooS+SPpI1ayiDCVJm2IBXVqa2UUv80FVD3OMVJI6DNVkTMWzOv24/veaUUy/N2JCPwLxoaaX3vNPBz22w+PXt8+xrE6qBLkxpR69H3k1ydWtnYtRIjnE6hwjM1a6sgbWqroeyXiDWeCWSkt1BOue8cASiLTEY9s/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+YL4j7ncGL77VhoC5O3kc6h3/dzf+EGpga5SFU1t0ts=; b=OSfAa742eITYeifs85wshznKFGM2UwpKXyTlHm5FapHFvcqSUCSx36eoRXcBaxP9Ocdd2WumCmdAbBftpLpK3SosveQjY8rrDe/rPj+9sUFg7lkjBuT03KjbrK+IwxKdJkPjTLUFjaW0x1mLp0n26GegW9nk4ncxYXs2OySH0Hx5H9uljs6GWuuOdwDDjPR5LT+9pO+aDUsIOX1YLUbsipZLS3fFK2NErlRrAkfN6Odwo/xeFLQaiJbBmFvi4uDDLD4RkHtGsrQcU9y+nQVyCDh6BiNEyDiV4Q0pUXAchX5GynW0+ISVZSKwLekLyY7qEXAiMYbheXkgXLZRnk7/sw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+YL4j7ncGL77VhoC5O3kc6h3/dzf+EGpga5SFU1t0ts=; b=EqVPNN2fyxVLFw3xAp6MyTTNIHj3TFrrkfyyY+ZdOAyuTiq8/wwTUlvTmaZWH35myjCiOhgRKDZTv+6oe53AcrpZyloKe7wRNpYKz4Ktp7ppg9vomMI1HwWlksjkGUuFC2CS08kUXioH7Z0cwNT61N8FoT4/BtMlo0Xh836cDhpqE4OUVvw+bNENGc8rxkHX3DJiKHhBeNu/U7/Rjx4sj0s9lIKSz4iRguVPTs+rSvEEmb7u3RzvcEpiGTrd3aN3glK/SBq3ZUEcTj7TEmFj3mOmwnYNRwP1DWhUcpRizKpIvXi0MFlLmyge3Ym1lpWtYXAINhb/x33+3lktTmiYXg== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB4359.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:7::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.17; Tue, 2 Feb 2021 15:13:49 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a%7]) with mapi id 15.20.3805.025; Tue, 2 Feb 2021 15:13:43 +0000 From: Rick Macklem To: Benjamin Kaduk CC: FreeBSD CURRENT , Jung-uk Kim Subject: Re: openssl in head returning "certificate expired" when it has not expired Thread-Topic: openssl in head returning "certificate expired" when it has not expired Thread-Index: AQHW+PSDO1fy+BZTz0iDKT4NZkEY5apECG2AgAAvo0CAADVTAIAAinrJ Date: Tue, 2 Feb 2021 15:13:43 +0000 Message-ID: References: <20210202004849.GJ21@kduck.mit.edu> , <20210202065010.GR21@kduck.mit.edu> In-Reply-To: <20210202065010.GR21@kduck.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7d772b31-ef66-4f4b-3f90-08d8c78d2115 x-ms-traffictypediagnostic: YQXPR01MB4359: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 5MSvPbTuWNHCnQImvvtchjtzIROkiTpuZ7vg7v6MjdwLE5HFBKR7XKsc/rv9CQ0JLxQPOCfBvdIv6phxY6rf9kZa6ac2SV6jx2IwIDutA2+qQBCQwyzIYhssxDadq+WBSSy1s6E6Na0SrZES5uhxfKho8mHJyfwyyzwxNGQC1gw9q11p77Q+ujaK6O8uTbLj77AlWwmcgxxF0SsQA+E7izdtjXgSvdevUyUJ8KQhDx4ORoi/Gjf2MDkxZAX2k9trAqrdC7/hxtMjMb3hZaanLxuuMZ3cftctU6p0COWjqWiwJdaSaKxiE44vAqCfxaU43CCojA2kgYioukUoflDrS9xmG05KZgYIXtoga0b4ba0tNBovcgUTek/xXtRRrKet4nHa5pbNPBsUPu222VwUdwQtHZYspI6GBar63YT3/KkNUUo6EwY0uMP9PyxDqCBXgO+LQeog7UxdyftbFB4Nu39ziZr8hrrnY/6fQncXyE8SGgoH/6vUoMYtsSfH8qKuMIHsNdwEHpe/0wVYcZTOBIBPWqHsmDJo1l73O7I+LrczeisLC5L9C/8enBRzycfS2VxbjT+BBDFtLl5jWZbyBA+Gosn8iGxO3H2B/aS9bAs= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(136003)(376002)(396003)(39860400002)(346002)(966005)(8676002)(2906002)(54906003)(786003)(6506007)(478600001)(316002)(66946007)(66476007)(66556008)(8936002)(91956017)(71200400001)(83380400001)(66446008)(4326008)(55016002)(6916009)(64756008)(76116006)(33656002)(9686003)(7696005)(52536014)(186003)(86362001)(5660300002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?Fj5eJVMJEcaxupRiLwUM8iqOjJ9+zsGKD9VtZiZLmV7hZpt2WHyKAGMDvE?= =?iso-8859-1?Q?m06j+Z9YSLCTI0N44v7bWhCwXeDUd2PTZuz8vqGp5jzY/+C48OnacObpA2?= =?iso-8859-1?Q?mTBWXEaI+rg/eOuXkkYPFyLRW3r8drkWKxAIaedctZwohlry/exC/yolG9?= =?iso-8859-1?Q?iDSBL/NTlmerUaMLPxWuekSEhmY3QVfJhB5ZeyfdU+sL1kdrpmLgUffkmz?= =?iso-8859-1?Q?pBNPA2e/Gd1zUI2pRhml3oT3iGQfYx2a7noNXHKz7A+HWYxevenXb8/rPs?= =?iso-8859-1?Q?Ei7HPDZGZyx0dqo9sofKSHY9BvsRDHKgVSRRUkKdO7k/b9cZd5iq8367ZZ?= =?iso-8859-1?Q?YajOZaj6upnXW69XqEdq2YtZSqnoJUbIu+hE0SD/M+uwYaaRjcFIsp9iwu?= =?iso-8859-1?Q?xZedJ93dX258YZ4t0Vb6Da1aR8IXrvvY5hpoh7mSosclXqV4hoarO+9vah?= =?iso-8859-1?Q?GPNFhwOBGEhl5jNTN4amRBGarPBFGyn5yiJGx2cyQdgPNjhBV87+4naoWz?= =?iso-8859-1?Q?obe45tXVTNtHB1jDusupV+dfzVAgMs1H9OWHvxPx83whQhucmWfmURJbBM?= =?iso-8859-1?Q?H6jU7ZoK9aJkR968VXr5zvZDTu2NzQ6L4FahvhBjVnD8w/94V4s3/4lZhu?= =?iso-8859-1?Q?hOxJAgrNYg6lO34p44HPetDtI6WDRfF33V2HYa0OyHKL6ej/uP8HTIMxIh?= =?iso-8859-1?Q?OV/uiHWmQ0YxHdvRRSPkPk0rTJ1GZ74EocuGA8yU0l6Trv6I7HyEfJp0lI?= =?iso-8859-1?Q?IUlREdrKkJNc7nte5HjUpVxao4if3p/8h3WV5s1Jzaew7ZoMBGVGx5O6C5?= =?iso-8859-1?Q?iSjrFfA+qJEUUvbZGBmbpyyAmm162lsOKZ/GIAjn1S7KdMXmpfsBV5sZhI?= =?iso-8859-1?Q?e1ipvD3kXtB8jie0W9KPNA8X20vseDv6mpcAyGckzv0h9+cHViBN0d8d4O?= =?iso-8859-1?Q?B1JE/7HQazQ1VJnD5y4u9gsAlreaVneJ5t7s3nq3q88Do/BrFOhWd/X8Ur?= =?iso-8859-1?Q?x3HWWB+OILV8EzyiJj6Zfos5v8enfE7Gb/yZfAB5hZmuXMOCYCe4gAMBZn?= =?iso-8859-1?Q?i2PXEcVvZ28t+voa6mHKaCnpsMxDxzKuw8Z8MpMwxFumsoC6LTRvSqzaFb?= =?iso-8859-1?Q?RgTGe/zCU/8YsBBjJPNrFGIRo/4kQ=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 7d772b31-ef66-4f4b-3f90-08d8c78d2115 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2021 15:13:43.1752 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: kTU5gIKZtyHopASD0/b/O4FuDW17nQfx0BpkQ4fhHKzaOi+rEDBDDGEUImbrk0taHpgZl9KpgN62YlVhRBZ8zQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB4359 X-Rspamd-Queue-Id: 4DVSy725h2z3QHH X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2021 15:13:51 -0000 Benjamin Kaduk wrote:=0A= >On Tue, Feb 02, 2021 at 03:48:06AM +0000, Rick Macklem wrote:=0A= >> Benjamin Kaduk wrote:=0A= >> >On Tue, Feb 02, 2021 at 12:46:25AM +0000, Rick Macklem wrote:=0A= >> >> I've recently been testing the daemons that do the=0A= >> >> non-application data stuff for nfs-over-tls with the=0A= >> >> openssl in head.=0A= >> >>=0A= >> >> These daemons work fine with both ports/security/openssl (openssl-1.1= .1h)=0A= >> >> and ports/security/openssl-devel (openssl3-alpha).=0A= >> >>=0A= >> >> However, when linked to the openssl in head, the basic handshake=0A= >> >> and KTLS works, but the peer certificate from the client is reported= =0A= >> >> as expired by SSL_get_verify_result(), although it is still valid.=0A= >> >> I added some debug output and the "notAfter" field of the=0A= >> >> certificate looks correct, so the certificate doesn't seem to be=0A= >> >> corrupted.=0A= >> >>=0A= >> >> I tried backporting the changes in crypto/x509 in head back=0A= >> >> into ports/security/openssl and it still worked, so those changes=0A= >> >> do not seem to have caused the problem.=0A= >> >> There are several differences in the configured options, but I cannot= =0A= >> >> see any other differences between ports/security/openssl and=0A= >> >> what is in head that could cause this.=0A= >> >> (The options that differ seem related to old encryption types, etc.)= =0A= >> >>=0A= >> >> Any other ideas for tracking this down?=0A= >> >=0A= >> >Is it perhaps related to https://github.com/openssl/openssl/issues/1403= 6 ?=0A= >> Well, it is definitely due to a change in behaviour between 1.1.1h and 1= .1.1i.=0A= >> I notices that ports/security/openssl has been upgraded to 1.1.1i and it= =0A= >> exhibits the "expired" behaviour.=0A= >>=0A= >> However, in my case, the certificate has not expired.=0A= >> The notAfter date is in 2022, but SSL_get_verify_results() returns=0A= >> X509_V_ERR_CERT_HAS_EXPIRED.=0A= >=0A= >Is there an expired CA in the chain?=0A= Ouch, yes that's it. The root CA has expired.=0A= =0A= >I suppose that reverting the commit from=0A= >https://github.com/openssl/openssl/pull/11359 (linked from the issue) woul= d=0A= >probably be pretty easty to check.=0A= I replaced x509_vfy.c with the one from openssl-1.1.1h and the problem went= =0A= away. (which I suspect is about the same thing)=0A= =0A= Now I'll go and create a new root CA, etc and make sure it works with=0A= openssl-1.1.1i and what is in head.=0A= =0A= Thanks for the helpful comments, rick=0A= =0A= -Ben=0A= =0A=