On Tue, 2022-01-04 at 19:01 +0100, Martijn van Duren wrote: > I have an openvpn connection that needs the mbedtls flavor, because > libressl is a bit too strict with its validation (yes, the cert should > be changed, but it's not my server). > > Since the update to clang-13 the connection fails with > "The certificate is not correctly signed by the trusted CA" > I found that compiling with compiling with -O1 or with clang-11/gcc > from ports doesn't have the issue. > > Via printf comparison I managed to track the issue to > mbedtls_rsa_rsassa_pkcs1_v15_verify() in rsa.c, where > mbedtls_rsa_public() returns an incorrect <encoded>, which is too > crypto black voodoo magic for me to hunt down further. >
This seems to be fixed by bket's update to security/polarssl-2.16.12.
