On 2021/02/01 08:44, Helmut Kiessling wrote: > Hi, > > Seems I have issues receiving emails into my private email so can you kindly > resend it to my work email instead? Original email below: > > I hope you can point me correct direction with this strange behaviour in > OpenBSD 6.8. So my script is using Perl library NET::LDAPS like below: > Row 85: my $ldap = Net::LDAPS->new(localhost, port => 636, version => 3, > verify => 'require', capath => /etc/openldap/certs ) > > When running the script it gives the following error: > # SSL connect attempt failed error:1404B418:SSL routines:ST_CONNECT:tlsv1 > alert unknown ca error:14FFF086:SSL > routines:(UNKNOWN)SSL_internal:certificate verify failed at update.pl line > 85, <DATA> line 960 > > And sure if I change verify => 'none' then it works but would be nice to get > certs verified too. > > Note, this same script works ok in OpenBSD 6.7. > > Net::LDAPS version is 0.06 (I also have these installed Net::SSLeay 1.88 and > IO::Socket::SSL 2.068 in case they are related) > > Do you have any ideas?
Cert validation is broken in some cases in 6.8 (false failures, not false positives). Depending on exactly which bug you run into, changing your program from using capath to cafile might do the trick. Otherwise the simplest workaround in most cases is to run -current where this is likely to work.
