Re: ftp TLS fails

To: current-users%netbsd.org@localhost
Subject: Re: ftp TLS fails
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Tue, 10 Oct 2023 17:03:46 +0200

On Tue, Oct 10, 2023 at 03:56:56PM +0200, Manuel Bouyer wrote:
> Hello
> with netbsd-10 from oct, 2 ftp fails to connect to https sites:
> tchatcha:/chroot/usr/pkgsrc-2023Q3/pkgsrc/sysutils/xenkernel418>ftp -o /tmp/o https://ftp.netbsd.org/
> Trying [2001:470:a085:999::21]:443 ...
> ftp: Can't connect to `2001:470:a085:999::21:443': No route to host
> Trying 199.233.217.201:443 ...
> FFFFFFFFFFFFFFFF:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1889:
> ftp: Can't connect to `ftp.netbsd.org:https'
> 
> 
> I have a ca-certificates.crt in /etc/openssl/certs/, I tried to re-run
> certctl but it didn't help.
> I see the same issue with downloads.xen.org
> 
> It seems that not all roots are installed ?

With some help from Thomas I found the problem:
I had a /etc/openssl/openssl.cnf lying around and this caused trouble.
After a rm -r /etc/openssl/* and postinstall again, _ have the certs.

/etc/openssl (I guess I only did rm -rf /etc/openssl/certs* before) and
this fixed things. /etc/openssl/certs.conf has more things now. Before it had
only
netbsd-certctl 20230816

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- ftp TLS fails
  - From: Manuel Bouyer

Prev by Date: ftp TLS fails
Next by Date: Re: Driver support for Intel I225/I226 Ethernet adapters
Previous by Thread: ftp TLS fails
Indexes:

Home | Main Index | Thread Index | Old Index