I cannot make a simple connection and on the OpenLDAP server I receive: tls_write: want=58 error=Broken pipe TLS: can't accept: error:02FFF020:system library:func(4095):Broken pipe. 6029d02e connection_read(15): TLS accept failure error=-1 id=1006, closing 6029d02e connection_closing: readying conn=1006 sd=15 for close 6029d02e daemon: activity on 1 descriptor 6029d02e daemon: waked 6029d02e daemon: select: listen=6 active_threads=0 tvp=NULL 6029d02e connection_close: conn=1006 sd=15 6029d02e daemon: removing 15 6029d02e conn=1006 fd=15 closed (TLS negotiation failure) 6029d02e daemon: select: listen=7 active_threads=0 tvp=NULL 6029d02e daemon: select: listen=8 active_threads=0 tvp=NULL 6029d02e daemon: select: listen=9 active_threads=0 tvp=NULL 6029d02e daemon: select: listen=10 active_threads=0 tvp=NULL ^C6029d03f daemon: shutdown requested and initiated. 6029d03f daemon: closing 6 6029d03f daemon: closing 7 6029d03f daemon: closing 8 6029d03f daemon: closing 9 6029d03f daemon: closing 10 6029d03f slapd shutdown: waiting for 0 operations/tasks to finish 6029d03f slapd shutdown: initiated 6029d03f slapd destroy: freeing system resources. 6029d03f slapd stopped. root@core:/usr/home/mamadou # root@core:/usr/home/mamadou # pkg install -f libressl Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): And the client: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Downgrading to 3.2.3 resolved the issue for me. My dovecot relies on LDAP, but Postfix is not and it was also broken. If it requires, I can upgrade again and check the logs for Postfix also.
I have to mention that my certificate for the OpenLDAP has been issued by Let's Encrypt and is not self-signed if it makes any difference (because I saw the following changes) on the release note: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4-relnotes.txt We have released LibreSSL 3.2.4, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. It includes the following bug and interoperability fixes: * Switch back to certificate verification code from LibreSSL 3.1.x. The new verifier is not bug compatible with the old verifier causing issues with applications expecting behavior of the old verifier. * Unbreak DTLS retransmissions for flights that include a CCS * Only check BIO_should_read() on read and BIO_should_write() on write * Implement autochain for the TLSv1.3 server * Use the legacy verifier for autochain * Implement exporter for TLSv1.3 * Free alert_data and phh_data in tls13_record_layer_free() * Plug leak in x509_verify_chain_dup() * Free the policy tree in x509_vfy_check_policy() The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
Can you please check if your ldap server serves the complete chain? There previously was an issue with LibreSSL 3.2 and certificate chains, but those were resolved. > openssl s_client -connect ldap.example.com:636 -showcerts (or use -starttls ldap for port 389) It should return your leaf and the intermediate 'CN=R3' certificate.
Sorry, I am not much experienced in this. Here is the output: $ openssl s_client -connect {REMOVED}:636 -showcerts CONNECTED(00000003) depth=0 CN = {REMOVED} verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = {REMOVED} verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = {REMOVED} i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- {REMOVED} -----END CERTIFICATE----- --- Server certificate subject=CN = {REMOVED} issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Requested Signature Algorithms: RSA-PSS+SHA512:RSA+SHA512:ECDSA+SHA512:RSA-PSS+SHA384:RSA+SHA384:ECDSA+SHA384:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA256 Shared Requested Signature Algorithms: RSA-PSS+SHA512:RSA+SHA512:ECDSA+SHA512:RSA-PSS+SHA384:RSA+SHA384:ECDSA+SHA384:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA256 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2319 bytes and written 429 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- No client certificate CA names sent Requested Signature Algorithms: RSA-PSS+SHA512:RSA+SHA512:ECDSA+SHA512:RSA-PSS+SHA384:RSA+SHA384:ECDSA+SHA384:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA256 Shared Requested Signature Algorithms: RSA-PSS+SHA512:RSA+SHA512:ECDSA+SHA512:RSA-PSS+SHA384:RSA+SHA384:ECDSA+SHA384:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA256 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2315 bytes and written 405 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) ---