From nobody Wed Jan 12 10:56:47 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4B1091943021
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed, 12 Jan 2022 10:57:05 +0000 (UTC)
	(envelope-from Axel.Rau@Chaos1.DE)
Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mailout5.lrau.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JYkz43BTwz3GQm
	for <FreeBSD-security@FreeBSD.org>; Wed, 12 Jan 2022 10:57:04 +0000 (UTC)
	(envelope-from Axel.Rau@Chaos1.DE)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de;
	s=email1; h=To:Date:Message-Id:Subject:Mime-Version:Content-Type:From:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=CmJn5T8NPhBNfzz+gcgfxxD70SYHKYT1SVdERPcCM0g=; b=P8f9L+x/Z9VtLSrAILFCh/+jER
	vacC5AyZdRjweyj9kvgnI9f9bQpn3h6lLlYogY4+JkdPpClZFcoFDdlzrWvGJ80bzkmEvQ7pDnjhe
	QKrJGpzmkSeqPWh5cd9Gb/DVSE0gKI2YgXcaPZLYaRHlh+mtHfc21XG+kEP7+C6QkuV/JZoCh1jkf
	+189jZ/Un6GuIv0PffXGviFTi+MLK16RtW41RBiPyGe5iwlqllNLZPU5aL1XC24+9xlBs881EVQhv
	7BDMjP9uXdMqhPhn3whdzcT2GzG/x0N6AjAvbTVavORawA/7yL1vEav8At6DQ0QWzIR0cuyiAnDFh
	V1l88lJg==;
Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net)
	by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD))
	(envelope-from <Axel.Rau@Chaos1.DE>)
	id 1n7bJH-000GAE-3U
	for FreeBSD-security@FreeBSD.org;
	Wed, 12 Jan 2022 10:56:55 +0000
Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx
 3.2.0) with esmtpsa id 1641985014-79947-78689/7/41; Wed, 12 Jan 2022
 10:56:54 +0000
From: Axel Rau <Axel.Rau@Chaos1.DE>
Content-Type: multipart/signed; protocol="application/pgp-signature";
 boundary="Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4";
 micalg=pgp-sha256
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:security+help@freebsd.org>
List-Post: <mailto:security@freebsd.org>
List-Subscribe: <mailto:security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0
Subject: Random failures: "unable to get local issuer certificate"
Message-Id: <A1C37E54-1FF3-4486-AD6C-470B5F858634@Chaos1.DE>
Date: Wed, 12 Jan 2022 11:56:47 +0100
To: FreeBSD-security@FreeBSD.org
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-Rspamd-Queue-Id: 4JYkz43BTwz3GQm
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=chaos1.de header.s=email1 header.b="P8f9L+x/";
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE
X-Spamd-Result: default: False [-4.88 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[chaos1.de:s=email1];
	 NEURAL_HAM_MEDIUM(-0.92)[-0.922];
	 FROM_HAS_DN(0.00)[];
	 DWL_DNSWL_NONE(0.00)[chaos1.de:dkim];
	 MV_CASE(0.50)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 HAS_ATTACHMENT(0.00)[];
	 TO_DN_NONE(0.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-0.97)[-0.968];
	 RCVD_COUNT_THREE(0.00)[3];
	 DMARC_NA(0.00)[Chaos1.DE];
	 DKIM_TRACE(0.00)[chaos1.de:+];
	 NEURAL_HAM_SHORT(-0.99)[-0.993];
	 SIGNED_PGP(-2.00)[];
	 R_SPF_NA(0.00)[no SPF record];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE];
	 MID_RHS_MATCH_FROM(0.00)[];
	 RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from]
X-ThisMailContainsUnwantedMimeParts: N



--Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi all,

I=E2=80=99m running the download
	curl https://sh.rustup.rs -sSf | sh
this works fine, but the rust installer it calls fails on random hosts
and jails with

error sending request \
for url =
(https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256): \
error trying to connect: error:1416F086:SSL \
routines:tls_process_server_certificate:certificate \
verify failed:ssl/statem/statem_clnt.c:1915: \
(unable to get local issuer certificate)

All tested systems/jails are running 12.2p7 and habe identical cert =
stores,
kept up-to-date with freebsd-update.
OpenSSL 1.1.1h-freebsd from base.

Which knobs are influencing local issuer list?
Where can I dig to resolve this issue?

Any help appreciated,
Axel
---
PGP-Key: CDE74120  =E2=98=80  computing @ chaos claudius


--Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEl5evOTfnjZdhkBzKaPxTRM3nQSAFAmHes/AACgkQaPxTRM3n
QSC8og/9GMAAuPAMUORighjhfP2lAPJbknEuwW1rrAZP+XQctk7z8zg3XnJqAf2Z
bfU4d+4pUzxKFkzr6Fru0KVSuZbxB0rDFR9l0oHUVUXUTVzOJIy5XwGzYlVBzyGV
Y4D5gW2Wjwm9uOSnbJZ975DHjTHdvTjjSaXPxx3p5GdwfNM2Uab3DcfTwXvif/t7
J1vZmmuPuJFo4EhgNsOCKuXFtMFnz/2luSAgysxbJNGtqbAYNuNQhAc97yFG7Xmm
GxJ+4o+B/Vdwn9nijFHTDkmB5/r6FJ+0nCOjAfq8Rt0kqJL05v6p0yldVfQXz72U
dyRnWZ4Tj5tvH3fT10KLaNWq2IeS41eWQWLm+0dnZ0D6ax0WGM7ZnKIPKVKbSVRe
7LtLhgaLBvI0hNiWeT1JkvvxD6N3uIblNYme+2Irw2s7csJQZlGVFM4GMH0NXTV6
JQ5ZGoQzd7jBb4TVqK8wwjJB6Zj/thJDAmQ/j/+TM7vj8MwPA4J3F8j4dcggoHfL
q8E+I5HPhMs+Cnmal83WdUBMmfBuBCeb1R2Ow2Xn54rUB8hzwLLaxTwL61CPXAhS
t3xng9XCE53mY0iyIDID0PuIAbUIYgM2sUolO95jJkTBjQL+MqbiDHe0cpqC1iQA
51fJyCI1lOTUylwD4EMt1Z5yvwKKlLSXCo6x5yrAfHhdsI3A67Q=
=M07K
-----END PGP SIGNATURE-----

--Apple-Mail=_2B88462F-18ED-4EE2-8266-C0C5757DCBE4--