untrusted comment: signature from openbsd 6.1 base secret key RWQEQa33SgQSEnhaOZCGWHblebkok82AorbjVlOp9yk8P5ZMEyqwddnmtSECYEB/6jDNJHVD/XzneeSELwdoKm9HDkvRqpRAdwo= OpenBSD 6.1 errata 003, May 2, 2017: Revert consistency check that could cause programs to incorrectly verify certificates when using callbacks that always return 1. Apply by doing: signify -Vep /etc/signify/openbsd-61-base.pub -x 003_libressl.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install libcrypto: cd /usr/src/lib/libcrypto make obj make depend make make install Index: lib/libcrypto/x509/x509_vfy.c =================================================================== --- lib/libcrypto/x509/x509_vfy.c 5 Feb 2017 02:33:21 -0000 1.61 +++ lib/libcrypto/x509/x509_vfy.c 28 Apr 2017 23:12:04 -0000 1.61.4.1 @@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx) /* Safety net, error returns must set ctx->error */ if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - - /* - * Safety net, if user provided verify callback indicates sucess - * make sure they have set error to X509_V_OK - */ - if (ctx->verify_cb != null_callback && ok == 1) - ctx->error = X509_V_OK; - - return(ctx->error == X509_V_OK); + return ok; } /* Given a STACK_OF(X509) find the issuer of cert (if any)