I have an openvpn connection that needs the mbedtls flavor, because libressl is a bit too strict with its validation (yes, the cert should be changed, but it's not my server).
Since the update to clang-13 the connection fails with "The certificate is not correctly signed by the trusted CA" I found that compiling with compiling with -O1 or with clang-11/gcc from ports doesn't have the issue. Via printf comparison I managed to track the issue to mbedtls_rsa_rsassa_pkcs1_v15_verify() in rsa.c, where mbedtls_rsa_public() returns an incorrect <encoded>, which is too crypto black voodoo magic for me to hunt down further.
