Re: Q: pkg_add fails with: TLS handshake failure: ocsp verify failed: Undefined error ...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Q: pkg_add fails with: TLS handshake failure: ocsp verify failed: Undefined error ...

Stuart Henderson
In gmane.os.openbsd.misc, [hidden email] wrote:
>
> Hi All,
>
> What would cause pkg_add -u to report this error?
>> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake failure: ocsp verify failed: Undefined error: 0
>> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
>> Couldn't find updates for ... a long list of (all?) installed packages ...
>
> Error 0?

There is some problem doing OCSP validation. It validates OK with openssl
1.0.2u and 1.1.1j but not with libressl. DFN run their own PKI and OCSP
responder so it might hit some edge case that isn't seen with other
responders.

> That directory, on fau.de, is not empty.
>
> I have just rebooted after running sysupgrade to arrive at:
>> OpenBSD mjoelnir.fritz.box 6.9 GENERIC.MP#416 amd64
>
> And as my next step I wanted to then upgrade my installed packages.
>
> Did I miss something?

pkg_add doesn't get a directory index from ftp(1), it's limited in what
it can do at that point.

Workarounds are,

use http (packages are signed anyway)
use a different mirror
set FETCH_CMD="ftp -S noverifytime" in the environment which disables OCSP

I've included certs below if someone wants to reproduce to debug it.

$ openssl ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -url http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile fau-ca.crt -no_nonce
[...]
Response Verify Failure
3535329314880:error:27FFF065:OCSP routines:CRYPTO_internal:certificate verify error:/usr/src/lib/libcrypto/ocsp/ocsp_vfy.c:141:Verify error:error number 1
fau-cert.crt: good
        This Update: Mar 19 12:22:25 2021 GMT
        Next Update: Mar 26 12:22:25 2021 GMT

$ eopenssl ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -header host ocsp.pca.dfn.de -url http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile fau-ca.crt -no_nonce
Response verify OK
fau-cert.crt: good
        This Update: Mar 19 12:22:25 2021 GMT
        Next Update: Mar 26 12:22:25 2021 GMT

$ eopenssl11 ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -header host=ocsp.pca.dfn.de -url http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile fau-ca.crt -no_nonce
Response verify OK
fau-cert.crt: good
        This Update: Mar 19 12:22:25 2021 GMT
        Next Update: Mar 26 12:22:25 2021 GMT


cat > fau-cert.crt << EOF
-----BEGIN CERTIFICATE-----
MIIKjTCCCXWgAwIBAgIMIKr6htHOf3G7wcorMA0GCSqGSIb3DQEBCwUAMIGNMQsw
CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVz
IERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4t
UEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTE5
MDMxNTEwMjI1MVoXDTIxMDYxNjEwMjI1MVowgZMxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIDAZCYXllcm4xETAPBgNVBAcMCEVybGFuZ2VuMTwwOgYDVQQKDDNGcmllZHJp
Y2gtQWxleGFuZGVyLVVuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcxDTAL
BgNVBAsMBFJSWkUxEzARBgNVBAMMCmZ0cC5mYXUuZGUwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDw/LdY8/DG14NOIDqtJOsi14DwF6O7DHw11fqYuJZ6
3OBGOdHBRkTtUe2thjUny0LanvFLmuHqPzpYpDRuayTd156Rdr6dD5BpokVK6O/P
TzQSREYHX0VdGsqN5kLYSsXzVuYxjlWKLJxxWXDmKHQdYJpIePzIyrTM2Y9nQQKv
tq4y7EKaj7vFkRtRrX0opnJat33kip/KaWiAFhbJCIIy7Tjuh2sPJXYy9jigQ9OP
YLrzPNADkoUkOUaYp0LyUOcvIi4lY2/IdQZZfW59Lu9o8PcNSF262OFvTi55IoWP
sbuY6/h88XvycB8eqZTvToXIf9siAa/Hbf7xmTLnllOcegE9v5K6B9FSiuBEgcNe
bXFq0OTYHSjrqOzeohUa8b5n2M7kQyXi1bGjH/JwcnpAbjwkMK7rq3dWs7rnCBlN
fvoW/aSqjKgg5SCphl6YuxD49LqC5NIKqdqH/TbCbiVsXd/guM0HrEkGiAeNmqr+
HKvkRsr3fL7vwKEkitpC4jIG6XoDpqQskeS5bhsl49Sl9VsMfGTbr73Iv+A57Z5e
zQPjG0hBReC5bNP9DOoKYkGNzWMG7Z98sj6XmYO39Jpwo+GmXOX7dr2zQJ8lcTR6
J4uvNFZYDku2UC5Acm2+sbeibOApJCeZgwRUo9bGZx0DYZeHPKfoDwwiI6pqj20W
NQIDAQABo4IF4zCCBd8wWQYDVR0gBFIwUDAIBgZngQwBAgIwDQYLKwYBBAGBrSGC
LB4wDwYNKwYBBAGBrSGCLAEBBDARBg8rBgEEAYGtIYIsAQEEAwkwEQYPKwYBBAGB
rSGCLAIBBAMJMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
CCsGAQUFBwMBMB0GA1UdDgQWBBRIst54HQp2KRkBTizEsSfkuCsuZDAfBgNVHSME
GDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDBEBgNVHREEPTA7ggpmdHAuZmF1LmRl
ghhmdHAucnJ6ZS51bmktZXJsYW5nZW4uZGWCE2Z0cC51bmktZXJsYW5nZW4uZGUw
gY0GA1UdHwSBhTCBgjA/oD2gO4Y5aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4t
Y2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMD+gPaA7hjlodHRwOi8vY2Rw
Mi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NybC9jYWNybC5jcmww
gdsGCCsGAQUFBwEBBIHOMIHLMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2Eu
ZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSQYIKwYBBQUHMAKGPWh0dHA6Ly9jZHAx
LnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY2FjZXJ0L2NhY2VydC5j
cnQwSQYIKwYBBQUHMAKGPWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWds
b2JhbC1nMi9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwggNcBgorBgEEAdZ5AgQCBIID
TASCA0gDRgB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABaYDg
Q5AAAAQDAEYwRAIgOHt1Qj3kWYPCYkOE+Yktck4NtASSAmwmyGJiAgUU0IECIE/f
4U8U/djAkLHekTpgIb/+2X/pvv2sZ7a8zr2PJd2zAHYAqucLfzy41WbIbC8Wl5yf
RF9pqw60U1WJsvd6AwEE880AAAFpgOBD1AAABAMARzBFAiANnF5N+jUtfc3NXPwO
4f1hTuQR3k1uPXQClzVqDfPkvwIhAM1NePQ2Ba71eYhQcnm059HMCGHRP8wElbsV
aAyCCOg2AHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFpgOBE
lQAABAMARjBEAiB/jZNuQ4ctEzWi0evXQR4e0gwWbV/g+Sinqe9xvC16HgIgUgfx
PU7FeIV8s4fnjkHEz2vFFwaoTGhSl9U0LbXhagcAdgC72d+8H4pxtZOUI5eqkntH
OFeVCqtS6BqQlmQ2jh7RhQAAAWmA4ENFAAAEAwBHMEUCIQC9e8nmuUxtYQZAhzxQ
4go8djckMgkZJhSYXrnaSTh31gIgN+w/DSky0syY3h55+qod0V7dJ0BiLAMFtFlW
qGkEdCoAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWmA4ENF
AAAEAwBHMEUCIQD1h/y5Bxg+Lw6MOOHAeH+oBJJ965zzFbauF6Jl4CQSnQIgBB7h
BVJBO28Kn64XXMTQVlivOBLDJv0H32NV3LFU3+oAdwBElGUusO7Or8RAB9io/ijA
2uaCvtjLMbU/0zOWtbaBqAAAAWmA4EepAAAEAwBIMEYCIQCEPQgcaRpU8PEnr1Nm
M/mcuFUB33RYofLgwCktEDTQMQIhAJk5cTdIYWLMWSI5rRD0tu+VGw/25usXigwK
RbNycIeuAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFpgOBD
PgAABAMARjBEAiAX7su7YryE+/Ip8Om8zlCAgyHju4ywr3zZIPVz0WH73AIgSCHY
DQGJM9UKuLY1/KlTM43yGNthrztHSkFFFpljAZEwDQYJKoZIhvcNAQELBQADggEB
AEsSVu0s/mx6EeYEpFIcE4awpFXJhgHmnILehJnBiYMpg7kp2dIiMLUVenpMJd11
FpKqGUf9VHWDbOGT2SA/oVC055+4b93+c2wX1LbYomsxQs73ScKBD6CGf+8WvIi9
9gSpztM/GsY42FVdCU6CALw5Dl7PX/ILAOnJpZ7Qhc5CjgyClaBdLeQtVEoVjoOb
NLjgQxczgcINTq6RLXsHSZQlHmU3Lm5iOcidc9bXdavYKbmo6I5vUiZOytLz8Lq4
xroHnZAX1vSYl2CiaZF/pekC4zJ2/0lPqiwTzCVqiL2zGebINlRxOUg4uaettLOW
durMYrsIvZf5AEUZq+iOaZI=
-----END CERTIFICATE-----
EOF

cat > fau-ca.crt << EOF
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UE
BhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0
c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEt
MCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4X
DTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUw
QwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZv
cnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMM
HERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzh
axuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5Zuk
rXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0OR41I
X2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/Isyr1ijCs
7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmudn730Qp4PIdL
sDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGjggIFMIICATASBgNV
HRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNVHSAEIjAgMA0GCysG
AQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYEFGs6mIv58lOJ2uCt
sjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDqS+KiDM/hMIGPBgNV
HR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJv
b3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0G
CCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZu
LmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBj
YS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA
gXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrMqLGt
Mwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/KhkjeCBT/
FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIGe57u2Ea0G7UD
DDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/TbB9VbhBjBqbhLzmyQ
GoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd7L/KQaBh+xFJKdio
LXUV2EoY6hbvVTQiGhONBg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2VydmljZXMg
R21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UEAwwc
VC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4MjJaFw0z
MTAyMjIyMzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1
ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUu
IFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWluIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uNzvhWbBVV
dgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0OzEoy5xad
rg6NKXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9ZQ2PfzJt
8lpqS2IB7qw4NFlFNkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6izbqTpEp
PbNRXK2oDL6dNOPRDReDdcQ5HrCUCxLx1WmOJfS4PSu/wI7DHjulv1UQqyquF5de
M87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0MIIBcDAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1UdIwQYMBaAFL9Z
IDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYDVR0gBCww
KjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAECAjBMBgNV
HR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3JsL1RlbGVT
ZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNybDCBhgYIKwYBBQUHAQEEejB4MCwGCCsG
AQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjBIBggrBgEF
BQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19HbG9i
YWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+AptlyFYt
1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35at8yvSxM
R2BVf+d0a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnPmep/11I5
LqyYAER+aTu/de7QCzsazeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/w+jlkk9Z
PpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2PvJ6Uw+ft9hj4PEnnJqinNtgs3iLNi4LY
2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0/L3D/UqSApcb8re2z2WK
GqK1chk5
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
BSeOE6Fuwg==
-----END CERTIFICATE-----
EOF

Reply | Threaded
Open this post in threaded view
|

Re: Q: pkg_add fails with: TLS handshake failure: ocsp verify failed: Undefined error ...

Theo Buehler-3
On Fri, Mar 19, 2021 at 04:56:11PM +0000, Stuart Henderson wrote:

> In gmane.os.openbsd.misc, [hidden email] wrote:
> >
> > Hi All,
> >
> > What would cause pkg_add -u to report this error?
> >> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake failure: ocsp verify failed: Undefined error: 0
> >> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
> >> Couldn't find updates for ... a long list of (all?) installed packages ...
> >
> > Error 0?
>
> There is some problem doing OCSP validation. It validates OK with openssl
> 1.0.2u and 1.1.1j but not with libressl. DFN run their own PKI and OCSP
> responder so it might hit some edge case that isn't seen with other
> responders.

I missed a typo in tobhe's diff. This fixes it for me.

Index: x509/x509_purp.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_purp.c,v
retrieving revision 1.3
diff -u -p -r1.3 x509_purp.c
--- x509/x509_purp.c 13 Mar 2021 23:01:49 -0000 1.3
+++ x509/x509_purp.c 19 Mar 2021 17:21:29 -0000
@@ -571,7 +571,7 @@ x509v3_cache_extensions(X509 *x)
  if (x->skid == NULL && i != -1)
  x->ex_flags |= EXFLAG_INVALID;
  x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
- if (x->skid == NULL && i != -1)
+ if (x->akid == NULL && i != -1)
  x->ex_flags |= EXFLAG_INVALID;
 
  /* Does subject name match issuer? */