untrusted comment: verify with openbsd-68-base.pub
RWQZj25CSG5R2jBOFJA6lB4mRNysfwgmR3Eb+5Lhg4LFxZoUOhSjOZS/vM0wuAD7cWRCIPEUE2SIKIsSDwqumF78QYIkJVwvVQI=

OpenBSD 6.8 errata 032, September 30, 2021:

Compensate for the expiry of the DST Root X3 certificate.

Apply by doing:
    signify -Vep /etc/signify/openbsd-68-base.pub -x 032_cert.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install libcrypto, isakmpd and unwind:
    cd /usr/src/lib/libcrypto
    make obj
    make includes
    make
    make install
    cd /usr/src/sbin/isakmpd
    make obj
    make
    make install
    cd /usr/src/sbin/unwind
    make obj
    make
    make install

Index: lib/libcrypto/x509/x509_vpm.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_vpm.c,v
diff -u -p -u -r1.22.4.1 x509_vpm.c
--- lib/libcrypto/x509/x509_vpm.c	3 Feb 2021 07:06:13 -0000	1.22.4.1
+++ lib/libcrypto/x509/x509_vpm.c	30 Sep 2021 17:30:40 -0000
@@ -596,6 +596,7 @@ static const X509_VERIFY_PARAM_ID _empty
 static const X509_VERIFY_PARAM default_table[] = {
 	{
 		.name = "default",
+		.flags = X509_V_FLAG_TRUSTED_FIRST,
 		.depth = 100,
 		.trust = 0,  /* XXX This is not the default trust value */
 		.id = vpm_empty_id