New comment by jpastuszek on void-packages repository https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513782714 Comment: After the update I could not get the certificate from CUPS: ``` $ curl https://localhost:631/ -v * Trying 127.0.0.1:631... * Connected to localhost (127.0.0.1) port 631 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * Recv failure: Connection reset by peer * OpenSSL SSL_connect: Connection reset by peer in connection to localhost:631 * Closing connection 0 curl: (35) Recv failure: Connection reset by peer ``` ``` $ openssl s_client localhost:631 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 293 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ``` With the change to GnuTLS it works fine: ``` $ curl https://localhost:631/ -v * Trying 127.0.0.1:631... * Connected to localhost (127.0.0.1) port 631 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate ``` ``` $ openssl s_client localhost:631 CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown verify error:num=18:self signed certificate verify return:1 depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown verify return:1 --- Certificate chain 0 s:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown i:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown --- Server certificate -----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIEZD8CNDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV UzEQMA4GA1UEAxMHbW9yZ2FuYTEQMA4GA1UEChMHbW9yZ2FuYTEQMA4GA1UECxMH VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjAeFw0y MzA0MTgyMDQ4NTJaFw0zMzA0MTUyMDQ4NTJaMGcxCzAJBgNVBAYTAlVTMRAwDgYD VQQDEwdtb3JnYW5hMRAwDgYDVQQKEwdtb3JnYW5hMRAwDgYDVQQLEwdVbmtub3du MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytEwwoYJIM/5Y4DjaxNepiMoZJ3uVpZeD9ie 7TtxXf4MS0HWhwpuUGXuJQgJkCnKmprMzPZUPwQAgNs43+ukD+cFxZIuiJlEBcJy RhSS9Kcwut9SdyjKK8TI6ts/T1FBQg6gE8fpeGPpUnwZdBey0llUTnpXTkwQoYFG hYQxCfnSy6iOT5gUTkxji1Rm6rSINJub8bIRLEEXZNmCh2dytMDu4XHLdvOgPsP6 iVNeTlPr7RV2cpMTJnmiHHh8aq8a7stfrGEi1S9Ai79+AASEIH3AzEIaP/G/X5g0 rp3rzjTCXMzAM+z0wL5Y5qLEYHV0WUihsMWGhRajhDek/MiumwIDAQABo4GDMIGA MAwGA1UdEwEB/wQCMAAwLAYDVR0RBCUwI4IHbW9yZ2FuYYINbW9yZ2FuYS5sb2Nh bIIJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF oDAdBgNVHQ4EFgQUU/C9Euz/SwbOkW/EMVHvvT5MCzswDQYJKoZIhvcNAQELBQAD ggEBAIvEh2AmgKGEvAusVWy7D3OOqCGCiXiXGLkXY0QBg/fM0EefMrZ4IDAlB1kL +gpD3j0o8NUjjUQrwMALLjQ9zdfrfoSjCpkxdaIWY+1LL/unInyRjqmX6Oxbq8H9 zH3KDZTpSgLbchKdzOB+KayYcOvnkSYl2hU7nHP82qdTOLMsiALNASWV2VbwPEhq u9fJ62cCKZYT3gFYFkmlG13NOeHc0BURxkf4CMdA2XYNBUN+axa9StOnJW+MtCab 9W0yjytEVNTFzaNMn7oQZn0hLnaH9RQSLM+r5wcbwSnYjbjIyEXMtYwnQTqo8QYp 9mSQFOKVRC3nx0829FpIfPJyP5o= -----END CERTIFICATE----- subject=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown issuer=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1536 bytes and written 373 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- ``` I have rebased the PR.