ntpd with default config broken in -current

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ntpd with default config broken in -current

Matthieu Herrb-7
Hi,

running -current on amd64 and i386 with the default /etc/ntpd.conf,
ntpd doesn't send any NTP request and doesn't sync the clock...

mirrorball% ntpctl -sa
0/4 peers valid, clock unsynced

peer
   wt tl st  next  poll          offset       delay      jitter
151.80.19.218 from pool pool.ntp.org
    1  2  -    0s    0s             ---- peer not valid ----
37.187.104.44 from pool pool.ntp.org
    1  2  -    0s    0s             ---- peer not valid ----
37.187.2.84 from pool pool.ntp.org
    1  2  -    0s    0s             ---- peer not valid ----
163.172.163.169 from pool pool.ntp.org
    1  2  -    0s    0s             ---- peer not valid ----

tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port....


Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            blackip            UGS        0       55     -     8 em0  
224/4              localhost          URS        0       79 32768     8 lo0  
127/8              localhost          UGRS       0        0 32768     8 lo0  
localhost          localhost          UHhl       2       46 32768     1 lo0  
192.168.31/24      mirrorball         UCn        5     1600     -     4 em0  
mirrorball         b8:ae:ed:72:d0:cd  UHLl       0      253     -     1 em0  
alix               00:0d:b9:15:76:50  UHLc       0      851     -     3 em0  
moonshine          10:78:d2:eb:7d:d7  UHLc       1      221     -     3 em0  
freenas            00:9c:02:a0:45:b3  UHLc       2       15     -     3 em0  
blackip            00:08:a2:09:99:52  UHLch      1       30     -     3 em0  
black              00:00:24:cd:7e:50  UHLc       0      520     -     3 em0  
192.168.31.255     mirrorball         UHb        1        5     -     1 em0  

Internet6:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            fe80::31:200%em0   UGS        2       39     -     8 em0  
::/96              localhost          UGRS       0        0 32768     8 lo0  
::/104             localhost          UGRS       0        0 32768     8 lo0  
localhost          localhost          UHhl      14       28 32768     1 lo0  
::127.0.0.0/104    localhost          UGRS       0        0 32768     8 lo0  
::224.0.0.0/100    localhost          UGRS       0        0 32768     8 lo0  
::255.0.0.0/104    localhost          UGRS       0        0 32768     8 lo0  
::ffff:0.0.0.0/96  localhost          UGRS       0        0 32768     8 lo0  
2002::/24          localhost          UGRS       0        0 32768     8 lo0  
2002:7f00::/24     localhost          UGRS       0        0 32768     8 lo0  
2002:e000::/20     localhost          UGRS       0        0 32768     8 lo0  
2002:ff00::/24     localhost          UGRS       0        0 32768     8 lo0  
2a03:7220:8081:610 mirrorball.herrb.n UCn        4        2     -     4 em0  
mirrorball.herrb.n b8:ae:ed:72:d0:cd  UHLl       0      154     -     1 em0  
blackip.herrb.net  00:08:a2:09:99:52  UHLc       0      161     -     3 em0  
2a03:7220:8081:610 00:0d:b9:15:76:50  UHLc       2      195     -     3 em0  
freedom.herrb.net  00:23:8b:f2:b7:a3  UHLc       1      177     -     3 em0  
nebraska.herrb.net 7c:7a:91:ef:4e:d0  UHLc       2       47     -     3 em0  
fe80::/10          localhost          UGRS       0        1 32768     8 lo0  
fec0::/10          localhost          UGRS       0        0 32768     8 lo0  
fe80::%em0/64      fe80::baae:edff:fe UCn        1        0     -     4 em0  
fe80::31:200%em0   00:08:a2:09:99:52  UHLch      1      427     -     3 em0  
fe80::baae:edff:fe b8:ae:ed:72:d0:cd  UHLl       0       51     -     1 em0  
fe80::1%lo0        fe80::1%lo0        UHl        0        0 32768     1 lo0  
ff01::/16          localhost          UGRS       0        1 32768     8 lo0  
ff01::%em0/32      fe80::baae:edff:fe Um         0        1     -     4 em0  
ff01::%lo0/32      localhost          Um         0        1 32768     4 lo0  
ff02::/16          localhost          UGRS       0        1 32768     8 lo0  
ff02::%em0/32      fe80::baae:edff:fe Um         0        4     -     4 em0  
ff02::%lo0/32      localhost          Um         0        1 32768     4 lo0  

OpenBSD 6.0-current (GENERIC.MP) #15: Mon Jan  2 13:05:09 CET 2017
    [hidden email]:/usr/obj/GENERIC.MP
real mem = 8453414912 (8061MB)
avail mem = 8192557056 (7813MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xa2ee6000 (52 entries)
bios0: vendor Intel Corporation version "RYBDWi35.86A.0353.2015.1222.0947" date 12/22/2015
bios0: Intel Corporation NUC5i3RYB
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI LPIT SSDT ASF! SSDT SSDT SSDT DMAR BGRT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-5010U CPU @ 2.10GHz, 2095.44 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2095442040 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-5010U CPU @ 2.10GHz, 2095.15 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i3-5010U CPU @ 2.10GHz, 2095.15 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-5010U CPU @ 2.10GHz, 2095.15 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 40 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimadt0: bogus nmi for apid 1
acpimadt0: bogus nmi for apid 3
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus -1 (RP01)
acpiprt5 at acpi0: bus -1 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus -1 (RP04)
acpiprt8 at acpi0: bus -1 (RP05)
acpiprt9 at acpi0: bus -1 (RP06)
acpiprt10 at acpi0: bus -1 (RP07)
acpiprt11 at acpi0: bus -1 (RP08)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@117 mwait.1@0x30), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@117 mwait.1@0x30), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@117 mwait.1@0x30), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@117 mwait.1@0x30), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: WRST
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpipwrres6 at acpi0: WRST
acpipwrres7 at acpi0: WRST
acpipwrres8 at acpi0: WRST
acpipwrres9 at acpi0: WRST
acpipwrres10 at acpi0: WRST
acpipwrres11 at acpi0: FN00, resource for FAN0
acpipwrres12 at acpi0: FN01, resource for FAN1
acpipwrres13 at acpi0: FN02, resource for FAN2
acpipwrres14 at acpi0: FN03, resource for FAN3
acpipwrres15 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 110 degC
acpitz1 at acpi0: critical temperature is 110 degC
"NTN0530" at acpi0 not configured
"INT3F0D" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"INT33A1" at acpi0 not configured
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 2095 MHz: speeds: 2100, 2000, 1900, 1800, 1700, 1600, 1500, 1400, 1200, 1100, 1000, 900, 800, 700, 600, 500 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 5G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 5500" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1920x1200
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 5G HD Audio" rev 0x09: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 "Intel 9 Series xHCI" rev 0x03: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel 9 Series MEI" rev 0x03 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel I218-V" rev 0x03: msi, address b8:ae:ed:72:d0:cd
azalia1 at pci0 dev 27 function 0 "Intel 9 Series HD Audio" rev 0x03: msi
azalia1: codecs: Realtek/0x0283
audio0 at azalia1
ehci0 at pci0 dev 29 function 0 "Intel 9 Series USB" rev 0x03: apic 2 int 23
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel 9 Series LPC" rev 0x03
ahci0 at pci0 dev 31 function 2 "Intel 9 Series AHCI" rev 0x03: msi, AHCI 1.3
ahci0: port 3: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 3 lun 0: <ATA, Samsung SSD 850, EMT2> SCSI3 0/direct fixed naa.5002538d7001f410
sd0: 114473MB, 512 bytes/sector, 234441648 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 9 Series SMBus" rev 0x03: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 8GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x4e/2: NCT6776F rev 0x33
lm1 at wbsio0 port 0xa00/8: NCT6776F
vmm0 at mainbus0: VMX/EPT
efifb at mainbus0 not configured
uhub2 at uhub0 port 1 configuration 1 interface 0 "GenesysLogic USB2.0 Hub" rev 2.10/92.12 addr 2
uhidev0 at uhub2 port 1 configuration 1 interface 0 "Fujitsu Component Type 6 Keyboard" rev 1.00/1.02 addr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes, country code 33
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 2 configuration 1 interface 0 "Elan USB+PS/2 Optical Mouse" rev 1.10/24.58 addr 4
uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
ugen0 at uhub0 port 7 "Intel Bluetooth" rev 2.01/0.01 addr 5
uhub3 at uhub0 port 12 configuration 1 interface 0 "vendor 0x05e3 product 0x0617" rev 3.00/92.12 addr 6
uhub4 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.03 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (4ca70e04fcba0489.a) swap on sd0b dump on sd0b

--
Matthieu Herrb

Reply | Threaded
Open this post in threaded view
|

Re: ntpd with default config broken in -current

Matthieu Herrb-7
On Mon, Jan 02, 2017 at 03:59:51PM +0100, Matthieu Herrb wrote:

> Hi,
>
> running -current on amd64 and i386 with the default /etc/ntpd.conf,
> ntpd doesn't send any NTP request and doesn't sync the clock...
>
> mirrorball% ntpctl -sa
> 0/4 peers valid, clock unsynced
>
> peer
>    wt tl st  next  poll          offset       delay      jitter
> 151.80.19.218 from pool pool.ntp.org
>     1  2  -    0s    0s             ---- peer not valid ----
> 37.187.104.44 from pool pool.ntp.org
>     1  2  -    0s    0s             ---- peer not valid ----
> 37.187.2.84 from pool pool.ntp.org
>     1  2  -    0s    0s             ---- peer not valid ----
> 163.172.163.169 from pool pool.ntp.org
>     1  2  -    0s    0s             ---- peer not valid ----
>
> tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port....
>

Looking a bit more, this is caused by a cert validation failure during
constraints checks.

mirrorball% doas ntpd -d  -v
ntp engine ready
constraint request to 74.125.232.243
constraint request to 74.125.232.240
constraint request to 74.125.232.242
constraint request to 74.125.232.244
constraint request to 2a00:1450:4010:c03::6a
constraint request to 74.125.232.241
tls write failed: 74.125.232.243 (www.google.com): certificate verification failed: certificate not trusted
tls write failed: 74.125.232.240 (www.google.com): certificate verification failed: certificate not trusted
no constraint reply from 74.125.232.243 received in time, next query 900s
tls write failed: 74.125.232.242 (www.google.com): certificate verification failed: certificate not trusted
no constraint reply from 74.125.232.240 received in time, next query 900s
tls write failed: 74.125.232.244 (www.google.com): certificate verification failed: certificate not trusted
no constraint reply from 74.125.232.242 received in time, next query 900s
tls write failed: 74.125.232.241 (www.google.com): certificate verification failed: certificate not trusted
no constraint reply from 74.125.232.244 received in time, next query 900s
no constraint reply from 74.125.232.241 received in time, next query 900s
tls write failed: 2a00:1450:4010:c03::6a (www.google.com): certificate verification failed: certificate not trusted
no constraint reply from 2a00:1450:4010:c03::6a received in time, next
query 900s

The www.google.com certificate fails verification because the 'Equifax
Secure Certificate Authority' root CA certificate that is on top of
the www.google.com certificate chain is missing from newer
/etc/ssl/cert.pem.


--
Matthieu Herrb

Reply | Threaded
Open this post in threaded view
|

Re: ntpd with default config broken in -current

Stuart Henderson
On 2017/01/02 16:37, Matthieu Herrb wrote:

> On Mon, Jan 02, 2017 at 03:59:51PM +0100, Matthieu Herrb wrote:
> > Hi,
> >
> > running -current on amd64 and i386 with the default /etc/ntpd.conf,
> > ntpd doesn't send any NTP request and doesn't sync the clock...
> >
> > mirrorball% ntpctl -sa
> > 0/4 peers valid, clock unsynced
> >
> > peer
> >    wt tl st  next  poll          offset       delay      jitter
> > 151.80.19.218 from pool pool.ntp.org
> >     1  2  -    0s    0s             ---- peer not valid ----
> > 37.187.104.44 from pool pool.ntp.org
> >     1  2  -    0s    0s             ---- peer not valid ----
> > 37.187.2.84 from pool pool.ntp.org
> >     1  2  -    0s    0s             ---- peer not valid ----
> > 163.172.163.169 from pool pool.ntp.org
> >     1  2  -    0s    0s             ---- peer not valid ----
> >
> > tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port....
> >
>
> Looking a bit more, this is caused by a cert validation failure during
> constraints checks.

> The www.google.com certificate fails verification because the 'Equifax
> Secure Certificate Authority' root CA certificate that is on top of
> the www.google.com certificate chain is missing from newer
> /etc/ssl/cert.pem.

It fails verification because alt chains aren't working correctly.
It's this problem which I mentioned on another list:

----- Forwarded message from Stuart Henderson <[hidden email]> -----

From: Stuart Henderson <[hidden email]>
Date: Mon, 2 Jan 2017 13:26:07 +0000
Subject: alt chains / verify callback [Re: CVS: cvs.openbsd.org: src]

On 2016/12/26 09:20, Joel Sing wrote:

> CVSROOT: /cvs
> Module name: src
> Changes by: [hidden email] 2016/12/26 09:20:58
>
> Modified files:
> lib/libtls     : tls.c tls_client.c
>
> Log message:
> Hook up a certificate verify callback so that we can set user friendly
> error messages, instead of libssl error strings. This gives us messages
> like:
>
> certificate verification failed: certificate has expired
>
> Instead of:
>
> 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> This also lets us always enable peer verification since the no verification
> case is now handled via the callback.
>
> Tested by tedu@
>
> ok beck@
>

naddy ran into a problem fetching ports distfiles from a google server
with ftp(1) with the new cert.pem, whereas it was working OK for me
when I tested the cert.pem update with ftp(1) on a slightly older
snapshot (23 Dec).

I've bisected and found that this was the commit that stopped it from
working. However testing further I find that curl(1) (which doesn't
use libtls) also fails in a similar way.

google's chain looks like this;

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

With the new cert.pem the old 1024-bit "Equifax Secure Certificate Authority"
cert is no longer included, so alt chains need to work to be able to connect to
it (GeoTrust Global CA is in cert.pem).

On -current:

$ nc -vvc google.com 443
Connection to google.com 443 port [tcp/https] succeeded!
nc: tls handshake failed (certificate verification failed: certificate not trusted)

On a machine with new cert.pem but older libtls:

$ ssh jodrell nc -vvc google.com 443
Connection to google.com 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.2/ECDHE-ECDSA-CHACHA20-POLY1305 with host google.com
Peer name: google.com
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
Valid From: Thu Dec 15 14:04:15 2016
Valid Until: Thu Mar  9 13:35:00 2017
Cert Hash: SHA256:c6ad71b8ad015bff4df56886261d0f975caa3ae427a3e68c2f8bf92f36824d4b
OCSP URL: http://clients1.google.com/ocsp

And on either machine with curl:

$ curl https://www.google.com/
curl: (51) SSL certificate verify result: certificate not trusted (27)

curl is not using SSL_CTX_set_cert_verify_callback; in that case the failure
is coming from SSL_get_verify_result -

lib/vtls/openssl.c

2796     lerr = data->set.ssl.certverifyresult =
2797       SSL_get_verify_result(connssl->handle);
2798
2799     if(data->set.ssl.certverifyresult != X509_V_OK) {
2800       if(data->set.ssl.verifypeer) {
2801         /* We probably never reach this, because SSL_connect() will fail
2802            and we return earlier if verifypeer is set? */
2803         if(strict)
2804           failf(data, "SSL certificate verify result: %s (%ld)",
2805                 X509_verify_cert_error_string(lerr), lerr);
2806         result = CURLE_PEER_FAILED_VERIFICATION;
2807       }

Does anyone have ideas to fix it? If not, which of the temporary workarounds
would be preferable?

- re-add the removed CAs to cert.pem

- revert the callback in libtls, which would fix things with ftp/nc
 but not other programs like curl


----- End forwarded message -----