On Mon, Feb 01, 2021 at 09:44:07AM +0000, Stuart Henderson wrote: > On 2021/02/01 08:44, Helmut Kiessling wrote: > > Hi, > > > > Seems I have issues receiving emails into my private email so can you > > kindly resend it to my work email instead? Original email below: > > > > I hope you can point me correct direction with this strange behaviour in > > OpenBSD 6.8. So my script is using Perl library NET::LDAPS like below: > > Row 85: my $ldap = Net::LDAPS->new(localhost, port => 636, version => 3, > > verify => 'require', capath => /etc/openldap/certs ) > > > > When running the script it gives the following error: > > # SSL connect attempt failed error:1404B418:SSL routines:ST_CONNECT:tlsv1 > > alert unknown ca error:14FFF086:SSL > > routines:(UNKNOWN)SSL_internal:certificate verify failed at update.pl line > > 85, <DATA> line 960 > > > > And sure if I change verify => 'none' then it works but would be nice to > > get certs verified too. > > > > Note, this same script works ok in OpenBSD 6.7. > > > > Net::LDAPS version is 0.06 (I also have these installed Net::SSLeay 1.88 > > and IO::Socket::SSL 2.068 in case they are related) > > > > Do you have any ideas? > > Cert validation is broken in some cases in 6.8 (false failures, not > false positives). Depending on exactly which bug you run into, changing > your program from using capath to cafile might do the trick. Otherwise > the simplest workaround in most cases is to run -current where this is > likely to work. >
We will release a syspatch for 6.8 that will likely fix this in the next few days.
