Discussion:
Q: pkg_add fails with: TLS handshake failure: ocsp verify failed: Undefined error ...
Why 42? The lists account.
2021-03-19 09:59:04 UTC
Permalink
Hi All,

What would cause pkg_add -u to report this error?
https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake failure: ocsp verify failed: Undefined error: 0
https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
Couldn't find updates for ... a long list of (all?) installed packages ...
Error 0?

That directory, on fau.de, is not empty.
OpenBSD mjoelnir.fritz.box 6.9 GENERIC.MP#416 amd64
And as my next step I wanted to then upgrade my installed packages.

Did I miss something?

Cheers,
Robb.
Theo Buehler
2021-03-19 17:29:26 UTC
Permalink
Post by Why 42? The lists account.
Hi All,
What would cause pkg_add -u to report this error?
https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake failure: ocsp verify failed: Undefined error: 0
https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
Couldn't find updates for ... a long list of (all?) installed packages ...
Error 0?
There is some problem doing OCSP validation. It validates OK with openssl
1.0.2u and 1.1.1j but not with libressl. DFN run their own PKI and OCSP
responder so it might hit some edge case that isn't seen with other
responders.
I missed a typo in tobhe's diff. This fixes it for me.

Index: x509/x509_purp.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_purp.c,v
retrieving revision 1.3
diff -u -p -r1.3 x509_purp.c
--- x509/x509_purp.c 13 Mar 2021 23:01:49 -0000 1.3
+++ x509/x509_purp.c 19 Mar 2021 17:21:29 -0000
@@ -571,7 +571,7 @@ x509v3_cache_extensions(X509 *x)
if (x->skid == NULL && i != -1)
x->ex_flags |= EXFLAG_INVALID;
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
- if (x->skid == NULL && i != -1)
+ if (x->akid == NULL && i != -1)
x->ex_flags |= EXFLAG_INVALID;

/* Does subject name match issuer? */

Loading...